OCR Settles Four HIPAA Ransomware Investigations Affecting 427,000 Individuals

Severity: Medium (Score: 51.9)

Sources: Databreaches, Techtarget, www.hhs.gov

Summary

The HHS Office for Civil Rights (OCR) announced settlements with four HIPAA-covered entities following separate ransomware investigations under the HIPAA Security Rule. These incidents collectively affected over 427,000 individuals and involved unsecured protected health information. The entities involved paid a total of $1.17 million and agreed to implement corrective action plans while being monitored by OCR for two years. Notably, the breaches were not large in scale, with the smallest affecting just 9,300 individuals, indicating that OCR is enforcing compliance across all sizes of entities. The settlements are part of OCR's ongoing efforts to prioritize risk analysis provisions under HIPAA, which have been emphasized since October 2024. OCR Director Paula M. Stannard highlighted the importance of proactive security measures to mitigate cyber threats. The affected entities included Assured Imaging, which suffered a ransomware attack in May 2020, and failed to conduct a compliant risk analysis. The settlements mark a total of 19 completed investigations related to ransomware incidents under OCR's risk analysis initiative. Key Points: • OCR settled four investigations related to ransomware breaches affecting over 427,000 individuals. • The total financial settlements amounted to $1.17 million across the four entities. • OCR emphasizes the importance of proactive risk analysis to prevent future breaches.

Key Entities

• Data Breach (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• Assured Imaging (company)
• Axia Women's Health (company)
• Consociate Health (company)
• Regional Women's Health Group (company)
• Star Group, L.P. Health Benefits Plan (company)
• T1486 - Data Encrypted for Impact (mitre_attack)
• T1566 - Phishing (mitre_attack)
• PYSA (ransomware_group)