November 30, 2020

Volume X, Number 335

Advertisement

OCR Imposes Fines on Health Plan, Business Associate, and Physician Group Related to Hacking Incidents; Warns Providers of Malware Attack.

In September, the Office for Civil Rights (OCR) announced three separate enforcement actions, including the second largest HIPAA monetary financial settlement in OCR history. These three actions and settlements were against: (1) a health plan; (2) a business associate; and (3) a physician group.  All of these actions related to hacking and malware attacks on the entities in 2014 through 2016. 

On Sept. 21, 2020, OCR announced a $1.5 million settlement with Athens Orthopedic Clinic, PA in Georgia.  The settlement stemmed from an incident occurring on July 26, 2016, when a journalist notified the clinic that a database of their patient records was posted for sale on the internet.  The posting of that patient data followed actions by a hacker who later contacted the clinic to demand a ransom for a complete copy of the stolen database.  According to the OCR report, the hackers breached the clinic’s systems using the credentials of a vendor on June 14, 2020, and were in the system for over a month during which time they exfiltrated the clinic’s PHI. 

The clinic reported the breach to OCR on July 29, 2016, and stated that 208,557 individuals had been affected.  The breach involved the patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.  OCR contended that the practice had longstanding and systemic noncompliance with HIPAA privacy and security rules, including the failure to conduct a risk analysis, implementation of risk management and audit controls, failure to maintain HIPAA policies and procedures, failure to secure business associate agreement with multiple vendors, and failure to provide training to workforce members.

In addition to the fines, the clinic agreed to a robust corrective action plan that includes two years of monitoring by OCR.  The corrective action plan also includes analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by the clinic or its affiliates that contain, store, transmit, or receive ePHI. 

A couple of days later, on Sept. 23, 2020, OCR announced that it had reached a settlement with a Business Associate (BA), CHSPSC LLC, for $2.3 million to settle a breach that affected approximately six million individuals.  The BA provided IT and health information management services to hospitals and physician clinics owned by Community Health Systems and the incident affected multiple Covered Entities.  In April 2014, the FBI notified the BA that its systems had been hacked and that it had traced a cyber-hacking group’s advanced persistent threat to the BA’s systems.  The hackers allegedly continued to access and exfiltrate data until August 2014 using compromised administrative credentials to remotely access the BA’s systems through its virtual private network. 

OCR found that the BA demonstrated longstanding and systemic noncompliance with HIPAA security rules, including the failure to conduct a risk analysis and failures to implement information system activity review, security incident procedures, and access controls.  The BA also agreed to a corrective action plan and two years of monitoring by OCR.  The corrective action plan includes revision of policies and procedures regarding technical access controls for software applications and network equipment, information system activity review for the regular review of audit logs, access reports, and security incident tracking reports, Security Incident Procedures and Response and Reporting, and password management. 

Finally, on Sept. 25, 2020, a health insurer, Premera Blue Cross, agreed to pay $6.85 million to settle a data breach that affected over 10.4 million people.  This was the second biggest payment in OCR history to resolve a HIPAA investigation.  The settlement stemmed from a March 17, 2015, breach report stating that hackers had gained access to its information technology system.  The threat actors utilized a phishing email to install malware that gave them access to the system in May 2014.  This improper access was not discovered until January 2015 during which time the actors gained access to names, addresses, dates of birth, email addresses, social security numbers, bank account information, and health plan clinical information. 

OCR found that the health plan demonstrated systemic noncompliance with the HIPAA rules, including the failure to conduct an enterprise-wide risk assessment and the failure to implement risk management and audit controls.  The health plan also agreed to a corrective action plan that includes two years of monitoring by OCR and an accurate and thorough Risk Analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 

A key issue in all three settlements was the failure to have a comprehensive risk assessment and other security controls.  All Covered Entities and Business Associates are required to conduct periodic risk analyses under the HIPAA security rules.  Health care entities, and their Business Associates, should review their risk assessments and make sure they are being conducted on a regular basis. 

Furthermore, health care providers and their Business Associates should make sure that malware detection and recovery from hacking attacks are part of their assessments. 

In line with the recent enforcement decisions, OCR recently issued a warning to health care providers about the Taidoor malware allegedly being used by the Chinese government, which has already affected certain health care systems. The warning also includes response actions and recommended mitigation techniques and reference a Malware Analysis Report (MAR) by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense.  More information on Chinese malicious cyber activity is available on the CISA website. CISA recommends taking the following actions:

  • Maintain up-to-date antivirus signatures and engines.
     
  • Keep operating system patches up-to-date.
     
  • Disable file and printer sharing services. If these services are required, use strong passwords or active directory authentication.
     
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
     
  • Enforce a strong password policy and implement regular password changes.
     
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
     
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
     
  • Disable unnecessary services on agency workstations and servers.
     
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
     
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
     
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
     
  • Scan all software downloaded from the internet prior to executing.
     
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 276
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Mark L. Mattioli Shareholder Health Care & FDA Practice Commercial Litigation Data, Privacy & Cybersecurity Antitrust Litigation & Competition Regulation
Shareholder

Mark L. Mattioli utilizes his twenty plus years of experience in the health care industry to assist wide variety of health care entities including hospitals, physicians, Long Term Care Providers, Home Health, Dialysis, DME, Clinical Labs and insurers in navigating and solving complex issues. He provides regulatory, transactional and compliance guidance in areas such as antitrust, health care reform, managed care contracting, reimbursement, fraud and abuse (Stark and anti-kickback), health information privacy and security medical staff credentialing, licensing, change of ownership, and...

215-988-7884
Eleanor (Miki) A. Kolton, Greenberg Traurig Law Firm, Washington DC, Healthcare and Cybersecurity Law Attorney
Of Counsel

Eleanor (Miki) A. Kolton has wide-ranging legal, administrative and management experience in medical practice law; HIPAA, Stark, Medicare and CMS regulations; with the U.S. Food and Drug Administration (FDA) and the Federal Trade Commission (FTC); and other civil and administrative law areas. She possesses executive corporate experience and broad clinical background in a variety of health care settings, including the ability to understand scientific and medical community cultures, business challenges and concerns.

Prior to joining the firm, Miki...

202-331-3134
Samantha R. Beck Health Care Attorney Greenberg Traurig Washington, D.C.
Associate

Samantha Beck is a member of the Health Care Practice in Greenberg Traurig's Washington, D.C. office. She has wide-ranging experience with Medicare and provides guidance on regulatory and transactional matters to health care providers. Prior to joining the firm, Samantha served as an attorney-advisor at the U.S. Department of Health and Human Services in the Medicare Operations Division of the Departmental Appeals Board.

Capabilities

  • Health Care & FDA Practice
202-530-8540
Advertisement
Advertisement