Written by : Dr. Aishwarya Sarthe
October 8, 2024
The breach in 2018 impacted the electronic protected health information (ePHI) of approximately 85,000 individuals. This incident underscores the rising cybersecurity threat in the healthcare sector.
Providence Medical Institute, a Southern California-based division of Providence Health System, has been fined $240,000 by the US Department of Health and Human Services (HHS) for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) following a ransomware attack.
The breach in 2018 impacted the electronic protected health information (ePHI) of approximately 85,000 individuals. This incident underscores the rising cybersecurity threat in the healthcare sector.
The HHS Office for Civil Rights (OCR) launched an investigation after Providence reported the breach in April 2018. The report revealed a series of ransomware attacks on their IT systems between February and March 2018, resulting in the encryption of servers containing sensitive ePHI.
OCR's investigation identified two key HIPAA Security Rule violations. First, Providence failed to establish a business associate agreement, which is critical in ensuring third-party vendors safeguard ePHI.
Second, the health system did not have adequate policies and procedures to limit access to ePHI to only authorized personnel and software.
Melanie Fontes Rainer, Director of OCR, emphasized the need for compliance. "Failures to fully implement all of the HIPAA Security Rule requirements leave HIPAA-covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients' health information."
In March 2024, Providence waived its right to a hearing, choosing not to contest the OCR findings. The health system agreed to pay the $240,000 fine, thus resolving the matter.
Since the 2018 Providence case, ransomware attacks have surged, with a 264% increase in large ransomware-related breaches. A 2023 BakerHostetler report stated that ransomware was responsible for over 70% of network intrusions in the healthcare sector.
OCR has stressed that healthcare organizations need to strengthen cybersecurity measures and repeatedly highlighted the importance of the HIPAA Security Rule in helping prevent such attacks.
Key areas of focus include establishing business associate agreements, integrating risk management, conducting regular system audits, and ensuring the encryption of ePHI.
This case marks the fifth monetary penalty issued by OCR for ransomware-related breaches in 2024 alone.
Earlier this year, a Maryland behavioral health practice paid a $40,000 fine after a ransomware attack compromised the ePHI of 14,000 individuals.
Some lawmakers argue that the current approach to healthcare cybersecurity is insufficient. Senator Mark Warner has expressed concern over the rise in cyberattacks and urged the government to implement stronger cybersecurity standards for healthcare organizations.
In a letter to HHS Secretary Xavier Becerra, Warner called for mandatory minimum cybersecurity protocols and increased funding to help smaller hospitals comply with these standards.
He and Senator Ron Wyden introduced the Health Infrastructure Security and Accountability Act, which proposes stricter penalties for healthcare executives who provide false information regarding their organization’s cybersecurity practices.
The HHS continues to offer resources for healthcare organizations to mitigate cybersecurity threats and urge them to take proactive steps to protect sensitive patient data.