The HHS is imposing a $240,000 civility penalty on the institute following a cybersecurity investigation and three data breaches.
The Breaches
According to the Office of Civil Rights’ Notice of Proposed Determination, the incident was first brought to the Office’s attention in 2018, when Providence Medical Institute (PMI) filed a breach report with the Department of Health and Human Services (HHS).
For context, PMI is a non-profit physician services organization in Southern California. The system employs 275 providers that work in 35 medical offices.
Relevant to the breach was a recent acquisition from Providence Medical; the healthcare organization acquired the Center for Orthopaedic Specialists (COS) in July of 2016. COS provides full orthopedic medical services in western Los Angeles County and eastern Ventura County.
Before the acquisition, COS was an independent physician practice with its own IT network. After the acquisition, COS began a two-year process of integrating its systems into PMI’s IT environment. The integration process experienced some delays, but was ultimately completed in May 2019.
Unfortunately, the COS system was attacked three times before the merge was completed. The attacks occurred on consecutive Sundays in the spring of 2018.
A String of Attacks
On February 18th, 2018, systems containing electronic protected health information (ePHI), which must be secure and protected under HIPAA, were attacked.
The malicious organization sent a phishing email that a worker unknowingly clicked on. The threat group demanded a ransom to restore the patient data, but COS was able to restore it using backup files within several days.
Just one week later, on February 25th, 2018, the COS system was hit by a second ransomware attack. In this case, attackers encrypted the ePHI, making it inaccessible to the COS. The organization was again able to restore patient data using backups.
On March 4th, a third ransomware impacted the COS system and hackers were able to access ePHI. In this attack, the malicious actors also gained remote desktop access to COS’s systems through administrator credentials that were compromised in one of the earlier attacks.
PMI filed a breach report with the OCR on April 18th, noting that it was estimated the breach compromised data of 85,000 individuals.
Compromised PHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers, and other financial information.
The Investigation
On May 10th, 2018, the OCR notified PMI that it would begin an investigation into the breach report and PMI’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
The OCR noted that the breach could be linked to COS’s IT vendor, CSnC, which provided data management for the network, including its eClinicalWorks electronic health management servers. CSnC maintained COS’s ePHI and had access to these documents. Also, CSnC would be classified as a business associate, COS did not require them to have a business associate agreement until after June 15th, 2018.
PMI also assessed COS’s ePHI environment several months after the attack. This assessment found that COS utilized older and unsupported operating systems. COS did not separate its private network from its public one, did not have a properly configured firewall, and had Remote Desktop Protocols (RDPs) enabled, which allowed an external operator to take desktop control.
COS also allowed workers to share generic credentials with administrator access, allowing users to log in and have nearly unrestricted administrator access. Lastly, COS did not employ encryption, which allowed attackers to easily access and view ePHI.
The Penalty
The OCR’s investigation determined that PMI did not have a business associate agreement with CSnC since its acquisition of COS in 2016. It created a business agreement in 2018. Other flaws remained in their data security system.
The OCR notified PMI of the investigation’s findings on September 20th, 2023, providing an opportunity to resolve the issues informally.
Although PMI attempted to resolve some of the issues previously outlined, the OCR determined that PMI had failed to adequately address multiple security concerns. As a result, PMI must pay a civil monetary penalty.
The penalty ultimately outlined two main reasons for their decision:
- PMI did not have a business associate agreement with CSnC between July 2016 and June 2018, a violation of HIPAA.
- PMI did not implement proper technical policies and procedures to secure electronic health records.
After accounting for all aggravating and mitigating factors, the OCR is imposing a penalty of $240,000 against PMI.
On October 3rd, 2024, this penalty was finalized.
To prevent future penalties, the OCR recommends health care providers, health plans, clearinghouses, and business associates do the following:
- Review business relationships and ensure business associate agreements are in place when required.
- Integrate risk analysis and risk management into business processes.
- Use audit controls and regularly review system activity.
- Use multi-factor authentication and encryption.
- Provide specific training as needed for your organization.
How Cloudticity Can Help
Data breaches are frequent and often based on opportunity; hackers target organizations with weak and penetrable security systems. Despite the looming threat, a shortage of cybersecurity experts means many organizations are ill-prepared for threats, using old software or procedures unfit for today’s challenges.
As a HITRUST certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. Despite an ever-evolving threat landscape with more sophisticated actors than ever, we’ve kept every organization we’ve worked with secure. We use a proven security tech stack with the best cybersecurity experts, ensuring your data is safe and any vulnerabilities are promptly addressed.
Attacks and their associated costs are rising from legal fees, system upgrade costs, and penalties. Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
If you want to learn more about how we can help protect your organization from network attacks, reach out for a free consultation today.