The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, a small neurology practice based in New York, following a potential violation of the HIPAA Security Rule. The investigation stemmed from a ransomware attack that compromised the electronic protected health information (ePHI) of patients.
OCR’s investigation revealed potential failures by the practice to implement adequate security measures required under the HIPAA Security Rule, such as conducting a thorough risk analysis and maintaining appropriate safeguards to protect ePHI. The breach impacted sensitive health data and underscored vulnerabilities in the practice’s cybersecurity defenses.
Ransomware and hacking remain the leading cyber threats to electronic health information in the healthcare sector. Ransomware, a form of malicious software (malware), is designed to block access to a user’s data—typically by encrypting it—until a ransom is paid. This settlement represents the 12th enforcement action related to ransomware and the 8th action under OCR’s ongoing Risk Analysis Initiative.
As part of the settlement, Comprehensive Neurology agreed to pay a monetary fine of $25K and implement a corrective action plan that will be monitored for two years to strengthen its HIPAA compliance program, including risk assessments, updated security policies, and staff training.
This case highlights the importance of proactive cybersecurity measures for all healthcare providers, regardless of size, and reinforces OCR’s commitment to protecting patient data in the face of increasing cyber threats like ransomware.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.