Providence Medical Institute experienced a series of ransomware attacks that compromised the electronic protected health information (ePHI) of approximately 85,000 patients. These attacks led to the encryption of their servers on three occasions and highlighted deficiencies in complying with the HIPAA Security Rule. The failures included not having a business associate agreement and insufficient policies and procedures to restrict ePHI access. As a result of these security lapses, the HHS OCR imposed a civil penalty of $240,000 on the institution.
"id": "pro000101524",
"linkid": "providence-medical-center",
"type": "Ransomware",
"date": "10/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"