On September 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced it settled the Health Insurance Portability and Accountability Act (HIPAA) Security Rule violation investigation related to a ransomware cybersecurity attack at Cascade Eye and Skin Centers, P.C. for $250,000.
HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $250,000
Cascade Eye and Skin Centers is a privately-owned health care provider in Washington. OCR initiated the investigation as a violation of the HIPAA Security Rule, which outlines the national standards covered entities must follow to protect electronic protected health information (ePHI). The ransomware attack targeting Cascade Eye and Skin Centers affected approximately 291,000 files containing ePHI. OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, such as (1) failing to conduct a compliant risk analysis to uncover the potential ePHI risks and vulnerabilities across its systems and (2) failing to sufficiently monitor its health information systems’ activity to ward off cyberattacks. In addition to the $250,000 settlement payment to the OCR, Cascade Eye and Skin Centers will implement a corrective action plan thatOCR will monitor for two years.
The settlement is OCR’s fourth Security Rule settlement related to a ransomware attack, occurring amid a 264% increase in large ransomware breaches reported to OCR since 2018. HHS OCR underlined the severity of ransomware attacks in the announcement: “Ransomware and hacking are the primary cyber-threats in health care.”