The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced the imposition of a $240,000 civil penalty against Providence Medical Institute in southern California for violating the HIPAA security rule. OCR investigated the covered entity after it reported a series of ransomware attacks that compromised the electronic protected health information (ePHI) of 85,000 individuals, including names, addresses, Social Security numbers, health care information, driver’s license numbers, and bank account numbers.
The cybersecurity breach occurred after a staff member clicked on a phishing email. The attacker then was able to gain remote access to the ePHI using administrator credentials.
The covered entity had used an IT company to provide data management services. However, the covered entity failed to have a business associate agreement in place for multiple years with the IT company, which caused access control deficiencies and contributed to the ransomware attacks. It also failed to implement any policies or procedures designed to allow only authorized persons or software programs access to the ePHI. In its investigation, OCR found that the covered entity did not act reasonably to end unauthorized access to its system by simply changing the compromised administrator credential, which would have prevented repeated attacks.
HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and H.R./employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- Employers Should Prepare for Immigration Raids - January 17, 2025