2nd Settlement Triggered by 2017 Ransomware Attack Costs WA Practice 100K Not a Breach Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 24 no 10 October 2024ppLets review for a momentppIts not a HIPAA violation to be a victim of ransomwareppIts not a HIPAA violation to pay a ransomppIts up to the covered entity CE to determine if a security or privacy incident is a breach reportable to the HHS Office for Civil Rights OCR patients the media and state regulators though of course authorities could disagree laterppYet on June 17 Amber Gilroy CEO of Cascade Eye and Skin Centers PC of Washington state signed a settlement agreement with OCR that included a 250000 payment and an extensive twoyear corrective action plan CAP1 OCR didnt announce the settlement until three months later and then as it has with the previous three similar settlements linked it to the growing incidence of ransomware afflicting health care organizationsppCascade was attacked in 2017a particularly bad or good depending on the perspective year for ransomware Its attack that spring preceded the worldwide spread of both WannaCry and NotPetya Yet neither is what infiltrated Cascades systems according to information provided to RPP by Gilroy and outside counsel John R Christiansen Nor was this handled as a reportable breach echoing the 950000 settlement between OCR and Heritage Valley Health System announced July 12 In both OCR based its enforcement action in part on an alleged failure to complete a risk analysisppAnother revealing detail from Christiansen OCR officials personally visited Cascade offices during the investigation Cascade which dates its roots to 1967 has more than 30 providers in seven locations It prides itself on involvement in numerous charitable causes including providing free cataract surgery to needy patients and raising money for the American Heart Association and the American Cancer SocietyppBoth OCRs announcement and agreement provide few details about what led to the settlement and the terms particularly the payment amounta situation not uncommon but often frustrating to covered entities CEs and business associates BAs who are continually advised to scrutinize every OCR enforcement action to understand how the agency operates and what to expect should they become the target of an investigationppOCR said simply that officials were tipped off via a complaint on May 26 2017 that Cascade experienced a ransomware attack in March of that year which the agency stated affected approximately 291000 files that contained electronic protected health information ePHIppOCRs investigation found multiple potential violations of the HIPAA Security Rule including failures by Cascade Eye and Skin Centers to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems and to have sufficient monitoring of its health information systems activity to protect against a cyberattack it said However the settlement agreement itself enumerates just two risk analysis and regular review of system activityppGilroy and Christiansen told RPP they wanted to reiterate that the 250000 is not based on any finding of a breach despite the OCR press release implications Whether a breach occurred wasnt cited or discussed as a possible violation or the basis for the amount of the payment they said As with most settlements Cascade did not admit to wrongdoingppGilroy who joined Cascade in May 2021 and Christiansen answered all of RPPs questions except one the amount of the ransomwareppHeres what happened according to GilroyppOn March 21 2017 Cascade discovered ransomware in its systems when a Cascade employee was unable to open a file in a shared folder A Cascade IT employee determined that the file appeared to have been encrypted Cascade immediately contacted its outsourced IT support team and disconnected the potentially infected servers from the networkppNext Cascade ran two antimalware programs which did not find any malicious software but did determine that files in some segments contained files encrypted without authorization Forensic investigation traced the source to a specific workstation onto which a Dharma ransomware virus variant had been downloaded probably from a spam or spoofed emailppCascade determined that approximately 291000 files which included PHI had been encrypted limited to names addresses and certain images A ransomware demand document was found ransom was paid and the affected files were recoveredppThe medical practices forensic investigation indicated there had not been unauthorized access to any other systems or any exfiltration or other or unauthorized transmission of information from the serversppThe servers were reimaged without the corrupted data to bring systems back online as quickly as possible and the encrypted data was recovered by information provided after ransomware payment Christiansen said He added that as far as we know the responsible individuals were never identified or chargedppGilroy said she was told that Cascade was offline for several days Our clinicians and staff quickly moved to a paperbased process but I cant speak to any patient care being pausedppRegarding the ransom We prefer not to provide the specific amount she said noting the decision was made some years before I joined CascadeppCascades forensic and legal review concluded this was not a reportable breach and no PHI was accessed by or exported to any unauthorized or party Christiansen saidppIn addition to the payment Cascade is complying with the threeyear CAP which includes terms that go beyond the two specific violations OCR alleged occurred3ppAccording to the CAP OCR said Cascade had potentially violated4ppThe requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of ePHI held by Cascade See 45 CFR 164308a1iiA ppThe requirement to implement procedures to regularly review records of information system activity See 45 CFR 164308aliiD ppThe agency also required Cascade to establish and implement a contingency plan and a procedure to identify unique users to better track activity within its electronic systemsppOCR is not known for speedy resolution of its investigations which holds true for Cascade as well RPP asked the organization why it took seven years to reach a settlementppCascade provided full cooperation to OCR and the investigation included an extensive OCR site visit and several followup inquiries from OCR Christiansen said The COVID pandemic probably played a significant role in the timing of the investigation but we would prefer not to speculate as to the reasons for OCRs timing or the amount of the consent amountppThe size of settlement amounts or fines OCR imposes for HIPAA violations is of concern to CEs and BAs but OCR frequently gives no explanation RPP has documented the variability in payments and some organizations reported feeling forced into making payments they considered excessiveppFor example the CEO of Doctors Management Servicewhich was the first to enter a settlement stemming from a ransomware attacktold RPP OCR insisted his small billing firm pay 10000 once the agency realized his cyber insurance would cover it5 He also described the fiveyear process to reach a settlement frustrating and sometimes terrifying as it threatened the survival of the companyppSimilarly Cascade had hoped for more financial forbearance from OCR in setting the payment Gilroy said adding that it experienced financial difficulties during the pandemic which affected resourcesppCommenting more generally on the compliance challenges that many CEs face Gilroy noted that Cascade is a relatively small organization with limited resources which prior to my joining Cascade may have led to some underfunding of risk assessment and mitigation as operational needs were prioritizedppRPP asked what safeguards upgrades controls or other measures Cascade may have made after the attack We cant go into any specifics for publication but have definitely implemented improvements Gilroy said Of course this event happened seven years ago so some safeguards and controls which might have been appropriate then arent appropriate or sufficient any longerppCascade also implemented multiple layers of safeguards including security factors audits and policies in an effort to identify and manage risks and vulnerabilities consistently with the Security Rule and industry standards and with the CAP she addedppAsked what CEs and BAs could learn from Cascades experience Gilroy said officials should realize you cannot prevent every attack but have tools at your fingertips to prevent as much as possible and be prepared to recoverppShe added that it is important to know who to call for IT support investigation and legal support Do your own investigations but cooperate with OCR and help them understand your organization and its particular situation and needspp1 US Department of Health and Human Services HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for 250000 news release September 26 2024 httpsbitly4eQvx13pp2 Theresa Defino Seven Years After Worldwide NotPetya Attacks OCR Singles Out PA System Collects Nearly 1M Report on Patient Privacy 24 no 8 August 2024 httpsbitly3XYq2Xgpp3 Theresa Defino Cascades CAP Has Breach Notification Focus Frequent Reporting Report on Patient Privacy 24 no 10 October 2024pp4 US Department of Health and Human Services Cascade Eye and Skin Centers PC Resolution Agreement and Corrective Action Plan content last reviewed September 26 2024 httpsbitly4gFBJecpp5 Theresa Defino BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly Didnt Expect Fine Report on Patient Privacy 23 no 11 November 2023 httpsbitly41W7WqDppView sourceppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppBack to TopppExplore 2024 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp