On November 1, 2024, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a $90,000 settlement with Bryan County Ambulance Authority (“BCAA”), a provider of emergency medical services in Oklahoma, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. BCAA admitted no wrongdoing as part of the settlement. The settlement follows an investigation of BCAA triggered by a ransomware attack that encrypted BCAA patient data, putting the protected health information (“PHI”) of over 14,000 individuals at risk.
What You Need to Know:
- This settlement marks OCR's first ransomware enforcement action under its new Risk Analysis Initiative, which focuses on ensuring that healthcare organizations are conducting proper risk assessments to protect electronic protected health information (“ePHI”), a crucial step in preventing cyberattacks like ransomware. Ransomware remains an ongoing and significant concern for HHS OCR.
- To safeguard the confidentiality, integrity, and security of PHI and ePHI, HIPAA-covered entities and business associates are required to abide by the regulations in the HIPAA Security Rule and Privacy Rule.
- OCR investigations can lead to costly settlements and continued oversight of a HIPAA-covered entity’s HIPAA compliance.
In May 2022, BCAA reported a data breach involving a ransomware attack that encrypted files on BCAA’s network and affected the PHI of 14,273 BCAA patients. BCAA is a governmental entity run by the county government. OCR’s investigation revealed that BCAA had failed to conduct an adequate risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.
Under the terms of the settlement agreement, BCAA agreed to pay $90,000 and entered into a three-year corrective action plan (“CAP”). As part of the CAP, BCAA has agreed to do each of the following:
- conduct an accurate and thorough risk analysis to identify potential risks to ePHI including a complete inventory of its electronic equipment, data systems and off-site data storage facilities;
- implement an enterprise-wide risk management plan to mitigate identified vulnerabilities;
- maintain and revise its policies and procedures to comply with HIPAA requirements and distribute the policies to its workforce; and
- provide training to its staff on HIPAA compliance and the importance of protecting patient data.
A copy of the BCAA resolution agreement and corrective action plan can be accessed here: Bryan County Ambulance Authority Resolution Agreement and Corrective Action Plan | HHS.gov.
As part of the HHS OCR press release announcing the BCAA settlement, OCR recommends that health care providers and other parties take the following steps to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes regularly.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
