Summary of article from King & Spalding, by Elizabeth Kimball Key:
On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Heritage Valley Health System agreed to pay $950,000 to settle alleged HIPAA violations following a 2017 ransomware attack. The settlement includes a corrective action plan (CAP) to address compliance gaps, marking the third HIPAA enforcement action involving ransomware. The OCR’s investigation revealed several potential HIPAA violations, including inadequate risk analysis, lack of a contingency plan, and insufficient access controls for electronic protected health information (ePHI). As part of the CAP, Heritage Valley will conduct a comprehensive risk analysis, implement a risk management plan, update its policies and procedures, and train its workforce on HIPAA compliance. OCR highlighted a significant increase in ransomware-related breaches, underscoring its enforcement priority.