HHS Settles Four HIPAA Violations Tied to Ransomware Attacks, Totaling $1.17 Million
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four settlements with HIPAA-covered entities over ransomware incidents investigated under the HIPAA Security Rule. The breaches, occurring between 2020 and 2021, collectively exposed the protected health information (PHI) of over 427,000 individuals. The entities paid a combined $1.17 million in fines, agreed to corrective action plans, and will undergo two years of OCR monitoring.
The settlements highlight OCR’s ongoing focus on enforcing HIPAA’s risk analysis requirements, a priority since its first enforcement action under this initiative in October 2024. Notably, the breaches varied in scale ranging from 9,300 to 244,813 affected individuals demonstrating that OCR is targeting entities of all sizes for compliance failures.
Key Incidents:
- Assured Imaging (Arizona/California): A May 2020 PYSA ransomware attack encrypted its EMR system and potentially exfiltrated data, impacting 244,813 individuals. OCR found the company had never conducted a HIPAA-compliant risk analysis and failed to notify victims within 60 days. Assured paid $375,000 and agreed to corrective measures.
- Regional Women’s Health Group (New Jersey): A December 2020 breach affecting 37,000 patients led to a $320,000 settlement after OCR determined the entity had not assessed risks to PHI.
- Star Group, L.P. Health Benefits Plan (Connecticut): An October 2021 ransomware attack exposed 9,300 individuals. OCR found improper PHI disclosures and a lack of risk assessment, resulting in a $245,000 fine.
- Consociate Health (Business Associate): A July 2020 phishing attack led to ransomware deployment six months later, compromising 136,500 individuals’ PHI. OCR cited inadequate risk analysis, leading to a $225,000 settlement.
OCR Director Paula M. Stannard noted that hacking and ransomware remain the most common large breaches reported to the agency. The settlements bring OCR’s total ransomware-related investigations to 19, with 13 completed under its risk analysis initiative.
Assured Imaging cybersecurity rating report: https://www.rankiteo.com/company/assured-imaging
"id": "ASS1776978420",
"linkid": "assured-imaging",
"type": "Ransomware",
"date": "5/2020",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '244,813',
'industry': 'Healthcare',
'location': ['Arizona', 'California'],
'name': 'Assured Imaging',
'type': 'Healthcare Provider'},
{'customers_affected': '37,000',
'industry': 'Healthcare',
'location': 'New Jersey',
'name': 'Regional Women’s Health Group',
'type': 'Healthcare Provider'},
{'customers_affected': '9,300',
'industry': 'Healthcare',
'location': 'Connecticut',
'name': 'Star Group, L.P. Health Benefits Plan',
'type': 'Health Benefits Plan'},
{'customers_affected': '136,500',
'industry': 'Healthcare',
'name': 'Consociate Health',
'type': 'Business Associate'}],
'attack_vector': ['Phishing', 'Exploited Vulnerabilities'],
'data_breach': {'data_encryption': 'Yes (ransomware encrypted data)',
'data_exfiltration': 'Potential (Assured Imaging)',
'number_of_records_exposed': '427,000+ (collectively)',
'personally_identifiable_information': 'Yes (PHI includes '
'PII)',
'sensitivity_of_data': 'High (PHI includes medical and '
'personal data)',
'type_of_data_compromised': 'Protected Health Information '
'(PHI)'},
'description': 'The U.S. Department of Health and Human Services (HHS) Office '
'for Civil Rights (OCR) announced four settlements with '
'HIPAA-covered entities over ransomware incidents investigated '
'under the HIPAA Security Rule. The breaches, occurring '
'between 2020 and 2021, collectively exposed the protected '
'health information (PHI) of over 427,000 individuals. The '
'entities paid a combined $1.17 million in fines, agreed to '
'corrective action plans, and will undergo two years of OCR '
'monitoring.',
'impact': {'brand_reputation_impact': 'Negative impact due to HIPAA '
'violations and settlements',
'data_compromised': 'Protected Health Information (PHI)',
'financial_loss': '$1,170,000 (total fines)',
'identity_theft_risk': 'High (PHI exposed)',
'legal_liabilities': 'Fines imposed, corrective action plans, OCR '
'monitoring',
'operational_impact': 'Data encryption, potential data '
'exfiltration, delayed victim notifications',
'systems_affected': ['EMR (Electronic Medical Records) system']},
'initial_access_broker': {'entry_point': 'Phishing (Consociate Health)'},
'investigation_status': 'Completed (13 of 19 ransomware-related '
"investigations under OCR's risk analysis initiative)",
'lessons_learned': 'HIPAA-compliant risk analysis is critical to prevent '
'ransomware attacks and avoid regulatory penalties. '
'Entities of all sizes are subject to OCR enforcement.',
'post_incident_analysis': {'corrective_actions': 'Conduct risk analyses, '
'implement corrective action '
'plans, undergo OCR '
'monitoring',
'root_causes': 'Lack of HIPAA-compliant risk '
'analysis, inadequate cybersecurity '
'measures, delayed incident '
'response'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Potential (Assured Imaging)',
'ransomware_strain': 'PYSA (Assured Imaging)'},
'recommendations': 'Conduct regular HIPAA-compliant risk analyses, implement '
'robust cybersecurity measures, ensure timely victim '
'notifications, and prepare for OCR compliance audits.',
'references': [{'source': 'U.S. Department of Health and Human Services (HHS) '
'Office for Civil Rights (OCR)'}],
'regulatory_compliance': {'fines_imposed': '$1,170,000 (total)',
'legal_actions': 'Settlements, corrective action '
'plans, OCR monitoring',
'regulations_violated': 'HIPAA Security Rule',
'regulatory_notifications': 'OCR investigations'},
'response': {'communication_strategy': 'Delayed victim notifications (Assured '
'Imaging)',
'remediation_measures': 'Corrective action plans, OCR monitoring '
'for two years'},
'stakeholder_advisories': 'OCR emphasizes the importance of HIPAA Security '
'Rule compliance to mitigate ransomware risks.',
'title': 'HHS Settles Four HIPAA Violations Tied to Ransomware Attacks, '
'Totaling $1.17 Million',
'type': 'Ransomware',
'vulnerability_exploited': 'Lack of HIPAA-compliant risk analysis'}