Settlement Marks OCR’s 20th Ransomware Enforcement Action and 14th Enforcement Action in OCR’s Risk Analysis Initiative
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans (the Plan), the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
“Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” said OCR Director Paula M. Stannard. “Regulated entities — including covered group health plans — should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates (collectively, regulated entities) must follow to protect the privacy and security of protected health information (PHI). The risk analysis provision of the HIPAA Security Rule requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) held by those organizations.
The settlement resolves an investigation that OCR initiated after the Plan filed a breach report on January 24, 2022. The Plan had received employee complaints that employees were unable to connect to the virtual private network. The Plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members’ names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR found that the Plan had potentially violated provisions of the Privacy and Security Rules, including:
- Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Plan prior to the breach incident; and
- Failing to implement reasonable and appropriate policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules prior to the breach incident.
Under the terms of the resolution, the Plan paid $450,000 and agreed to a two-year corrective action plan monitored by OCR. Under the corrective action plan, the Plan has committed to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Review and, to the extent necessary, revise its current Privacy, Security, and Breach Notification Rule policies and procedures to comply with the HIPAA Rules; and
- Ensure that all workforce members are trained with respect to its Privacy, Security, and Breach Notification Rule policies and procedures.
OCR recommends that regulated entities, including health care providers, health plans, healthcare clearinghouses, and business associates take the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI exists in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks to the confidentiality, integrity, and availability of ePHI.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
The resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf.
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ PHI; sets limits and conditions on the uses and disclosures of PHI; and gives individuals certain rights, including the right to timely access their health records. The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the security, confidentiality, integrity, and availability of ePHI.
Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the Security Rule’s Risk Analysis requirement, can also be found on OCR’s website.
Covered entities must comply with breach notification obligations under the HIPAA Breach Notification Rule. When submitting a notice of a breach of unsecured PHI to the HHS Secretary, covered entities must use the HHS Breach Portal.
If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.
Follow HHS OCR on X at @HHSOCR.
