Report on Patient Privacy 24, no. 8 (August, 2024)
Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed Russia and vowed the “reckless and indiscriminate cyber-attack…will be met with international consequences.”
Two years later, the Department of Justice indicted six Russian nationals—members of the hacker group Sandworm—for the attack. But, despite a bounty of $10 million the Department of State offered for their arrest in 2022, they appear to remain free men.
In the seven years since, ransomware attacks have continued, just under different groups and malware names, among them Blacksuit and Volt Typhoon. The world largely recovered and moved on from NotPetya—except for Heritage Valley Health System (HVHS), a nonprofit organization based in Beaver, Pa., that also provides care in neighboring Ohio and West Virginia.
To end an investigation the HHS Office for Civil Rights (OCR) began four months after Heritage was attacked by NotPetya in 2017, the organization recently agreed to pay OCR $950,000 and implement a three-year corrective action plan (CAP) that includes a risk analysis and other related tasks in response to what the agency alleged were “potential” violations of the Security Rule.[1] In announcing the settlement, OCR contended, for example, that Heritage failed to “implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain electronic protected health information [ePHI].”
The statute OCR maintained that Heritage violated doesn’t mention the word “ransomware” due to when it was written. 45 C.F.R. § 164.308(a)(7)), which OCR cited in the settlement agreement, requires “policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPI.”[2] The CAP requires Heritage to, in OCR’s words, “take a number of steps to resolve potential violations of the HIPAA Security Rule and protect the security” of ePHI.[3]
The accusation stands in contrast to details Heritage recounted in an unsuccessful 2019 breach of contract suit against a business associate (BA) that spread the malware. Heritage’s loss turned on the fact that its 2003 contract with the transcription firm Dictaphone was never signed by Nuance Communications Inc. after it acquired the company in 2006, so Heritage couldn’t hold Nuance to the security protections Dictaphone had pledged to maintain.
According to the suit, NotPetya “began in the Ukraine and initially entered into Nuance’s network through its relationship with a software developer in that country. The malware spread through Nuance’s network from India to Massachusetts and then back again before finally entering into Heritage Valley’s systems in Pennsylvania.”
Heritage said it “never should have been infected by the malware and never would have been infected by the malware were it not for Nuance’s negligence. Nuance implemented a business strategy focused on global expansion without taking the precautions necessary to protect itself and its customers against foreseeable cybersecurity risks that were part and parcel of this international growth,” Heritage claimed.
It said the malware began with an attack on a Ukrainian tax filing software program and likely spread via Nuance’s “business connections” there. In 2012, Nuance saw rapid adoption in Ukraine of the dictation app Dragon.
“As with Nuance[,] the outbreak ultimately affected a majority of Heritage Valley’s servers and workstations by encrypting the file system and files, making the operating systems unbootable and the files contained on the drives inaccessible,” the suit continued. “A forensics analysis from two independent data sources showed that the malware entered Heritage Valley’s computer network systems through a trusted virtual private network connection [VPN] with Nuance.” Specifically, the malware was attached to the iChart application, which hosted the Dictaphone software, according to the suit.
Amid ‘Chaos,’ Systems Down a Week
The litigation chillingly describes the flight path of the malware and how Heritage coped through the “chaos” it wrought. The details may prove illuminating to entities that have never experienced such an attack; to those that have, they might provoke sympathy and perhaps a little post-traumatic stress disorder, particularly among those who manage attacks.
Heritage’s firewall logs showed NotPetya entered its systems via the VPN connection on June 27, 2017, at 7:23:44 a.m., prompting “immediate and substantial...destruction,” affecting “the entire health system including satellite and community locations.” Among them were Heritage’s Sewickley and Beaver hospitals, Heritage Valley Medical Group, Tri-State Obstetrics and Gynecology and Heritage Valley Pediatrics, according to the suit. Nuance had discovered anomalies in its systems less than 30 minutes earlier and had taken iChart offline—but too late to stop the spread to Heritage, according to the suit.
“The malware affected every aspect of the health system’s ability to operate. Physicians and nurses were forced to re-draw pre-operative laboratory results because they could no longer access prior results,” the litigation states. “Bands had to be cut off and alarm systems rebooted each time an infant was discharged from the hospital. Laboratories and x-ray machines were down. Under these circumstances Heritage Valley physicians made critical decisions as to whether patients had to be diverted and if so to what location.”
Lab and “diagnostic services at Heritage Valley medical neighborhoods and community locations were closed for days, and it was not until nearly a week later that all acute, ambulatory and ancillary care services were restored at all Heritage Valley locations,” the suit recounts. However, it notes that “the quality of critical health care Heritage Valley provided to its patients did not suffer,” due to the “extraordinary efforts of Heritage Valley physicians, nurses and administrative staff, who endured throughout the chaos of the malware attack to maintain continuity to patient care to the greatest extent possible.”
At the time of the 2019 suit, Heritage said the attack cost “millions...including not only substantial business income loss but also the required repair and restoration of computer network systems, a significant amount of employee overtime and compensation, professional and third-party fees incurred in connection with responding to and remediating the incident, and intangible economic harm including the loss of goodwill.”
Yet, it was not considered a breach reportable to OCR.
Heritage ‘Pleased to Resolve the Matter’
To that tally now should be added the nearly $1 million OCR penalty and the cost of complying with the CAP.
RPP submitted a series of questions to both Heritage and OCR about the settlement, including requesting the basis for the $955,000 penalty. OCR officials did not respond. Robert Swaskoski, Heritage’s chief security officer and vice president for enterprise risk management, did not answer the questions but sent a statement.
It begins by acknowledging Heritage had been “impacted” in July 2017 by the NotPetya “malware attacks that infected computers worldwide. HVHS quickly conducted an investigation of the incident with the assistance of external cybersecurity experts and determined that there was no unauthorized access to or acquisition of any protected health information, personal information, or other proprietary data as a result of the incident. HVHS implemented a variety of safeguards to help prevent a similar incident from occurring in the future, and worked with federal law enforcement and the Department of Justice to prosecute the individuals behind the attacks.” OCR “initiated a compliance review in 2017 related to the NotPetya malware attack, which recently concluded. As a result of this review and findings, HVHS has entered into a voluntary settlement agreement with OCR. We are pleased to resolve this matter and will continue to work diligently in the best interests of our patients, staff and physicians.”
It is not clear if OCR ever pursued Nuance for any noncompliance that could have accompanied the malware attack. Moreover, OCR didn’t highlight the system’s lack of a BA agreement with Nuance, which would appear to be a clear HIPAA violation; however, the CAP does include a policy and procedures-related requirement to “document satisfactory assurances from business associates through a written contract or other arrangement with the business associate that meets the requirements of § 164.314(a).”
Third OCR Ransomware Settlement
RPP was unable to obtain answers related to timing, specifically, why it took seven years to reach a resolution and why the settlement, signed in February—the same month OCR issued its second such agreement—wasn’t released until July 1.
Heritage’s is the third and most costly ransomware-related settlement OCR has announced to date, but it’s a bit difficult to track the timing and thus gauge OCR’s interest in pursuing such cases.
OCR’s first ransomware settlement—which included a $100,000 payment and a three-year CAP with Doctors’ Management Service (DMS), a BA—was announced Oct. 31 of last year.[4] In an extensive interview with RPP, the firm’s CEO detailed its quick recovery within one day of the attack and decried the five-year protracted and “frightening” investigative process by OCR, accusing the agency of insisting on the $100,000 once it learned DMS’ cyber insurance would cover it.
In February, OCR said a Maryland behavioral health provider agreed to a $40,000 payment and a three-year CAP for a breach that also resulted from a ransomware attack.[5] Documents OCR posted online indicate this settlement was finalized in October, around the same time the agency announced the DMS settlement. The provider did not respond to questions from RPP.
1 U.S. Department of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Security Rule Failures for $950,000,” news release, July 1, 2024, https://bit.ly/4fQLwhc.
2 U.S. Department of Health and Human Services, “Heritage Valley Health System Resolution Agreement and Corrective Action Plan,” content last reviewed May 29, 2024, https://bit.ly/3M0VT4b.
3 Theresa Defino, “NotPetya Victim’s CAP Has Standard Security Compliance Tasks,” Report on Patient Privacy 24, no. 8 (August 2024).
4 Theresa Defino, “BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly, Didn’t Expect Fine,” Report on Patient Privacy 23, no. 11 (November 2023), https://bit.ly/41W7WqD.
5 Theresa Defino, “Small Md. Behavioral Health Provider, Victim of Ransomware, Pays OCR $40K,” Report on Patient Privacy 23, no. 4 (April 2024), https://bit.ly/3yCacsW.
[View source.]
