Application Security , Fraud Management & Cybercrime , HIPAA/HITECH
Feds Hit Health Entity With $950K Fine in NotPetya Attack
Settlement Is Another Signal of HHS OCR's Latest Enforcement PriorityFederal regulators have hit a Pennsylvania-based healthcare system with a $950,000 financial fine and a corrective action plan to settle potential HIPAA violations found during an investigation into a 2017 ransomware incident involving NotPetya.*
See Also: Cyber Insurance Assessment Readiness Checklist
The settlement with Heritage Valley Health System is the third HIPAA enforcement action by the U.S. Department of Health and Human Services in a case involving ransomware. The number of ransomware-linked breaches reported to HHS OCR has nearly tripled since 2018, the agency said.
"Hacking and ransomware are the most common type of cyberattacks within the healthcare sector. Failure to implement the HIPAA Security Rule requirements leaves healthcare entities vulnerable and makes them attractive targets to cybercriminals," said Melanie Fontes Rainer, director of HHS OCR, in a statement.
"Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge healthcare entities to protect their records systems and patients from cyberattacks."
HHS OCR said its investigation into Heritage Valley's incident discovered multiple potential violations of the HIPAA Security Rule. They include failures by Heritage Valley to: conduct a HIPAA security risk analysis, implement a contingency plan to respond to emergencies such as ransomware attacks, and implement policies and procedures to allow only authorized users access to electronic protected health information.
The resolution agreement in the case against Heritage Valley says HHS OCR initiated a compliance review of the entity after media reports said that the organization had experienced a data security incident.
The resolution agreement does not indicate whether Heritage Valley ever reported a HIPAA breach to HHS OCR involving the incident. No such report from Heritage Valley appears posted on HHS OCR's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Heritage Valley in a statement to Information Security Media Group said the ransomware incident involved NotPetya.
"Heritage Valley computer network was impacted by the NotPetya malware attacks that infected computers worldwide," said Robert Swaskoski, the organization's chief security officer, in the statement.
"HVHS quickly conducted an investigation of the incident with the assistance of external cybersecurity experts and determined that there was no unauthorized access to or acquisition of any protected health information, personal information, or other proprietary data as a result of the incident," he said. "HVHS implemented a variety of safeguards to help prevent a similar incident from occurring in the future, and worked with federal law enforcement and the Department of Justice to prosecute the individuals behind the attacks."
HHS OCR did not immediately respond to ISMG's request for comment and additional details about the Heritage Valley case.
Besides the financial fine, HHS OCR's resolution agreement requires Valley Heritage to undertake a corrective action plan which includes: conducting an accurate and thorough HIPAA security risk analysis; implementing a risk management plan; reviewing, developing, maintaining and revising its written policies and procedures to comply with the HIPAA Rules; and training its workforce on HIPAA policies and procedures.
Enforcement Trends
HHS OCR last October struck its first-ever HIPAA enforcement action involving a ransomware attack against Massachusetts-based medical management firm Doctor Management Group. The entity agreed to pay a $100,000 financial penalty and undergo three years of HIPAA compliance monitoring following an investigation into a ransomware breach reported in 2019 as affecting nearly 206,700 individuals (see: Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach).
In its second ransomware-related enforcement action, HHS OCR in February hit Green Ridge Behavioral Health with a $40,000 financial settlement and a corrective action plan. The settlement resolved potential HIPAA violations that HHS OCR had found during its investigation into a 2019 ransomware and data exfiltration attack on the Gaithersburg, Maryland-based mental health provider. The incident compromised the protected health information of about 14,000 individuals (see: HHS OCR Tells Congress It Needs More Funding for HIPAA Work).
"Ransomware breaches have become an enforcement priority for OCR," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "I expect that we will continue to see financial enforcement actions in instances where OCR viewed that the regulated entity was not sufficiently prepared to defend against and respond to a ransomware attack.
"Covered entities and business associates should confirm that their HIPAA Security Rule risk analyses clearly capture risks related to ransomware attacks, that they maintain data backups that are safeguarded against potential ransomware infections, and that they have tested their disaster recovery efforts in response to a potential ransomware attack," Greene said.
Fontes Rainer in a recent video interview with Information Security Media Group signaled that the agency's scrutiny of ransomware attacks and other hacking breaches as a top HIPAA enforcement priority is intensifying (see: How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits).
"The number of breaches is going up. They're getting bigger, infecting more people. And we know things like phishing, ransomware hacking are really substantive ways in which people's systems are being infiltrated," she said. "So, we're really focused on this."
As of Tuesday, of the 369 major health data breaches affecting 44.6 million individuals posted on the HHS OCR HIPAA breach website so far in 2024, 288 - or nearly 80% - are reported as hacking incidents. Those hacks affected 29.6 million individuals.
But the majority of HHS OCR's HIPAA enforcement actions over the last several years have centered on patient "right of access" disputes.
HHS OCR has 48 enforcement actions in such cases since the agency launched a patient "right of access" compliance initiative in April 2019 (see: Feds Hit 2 Nursing Home Firms With 'Right of Access' Fines).
Global Impact
A barrage of NotPetya attacks launched in June 2017 affected several companies worldwide, including pharmaceutical giant Merck & Co. and Danish shipping giant A.P. Møller - Maersk.
Federal prosecutors in 2020 indicted six Russian military officers in connection with NotPetya and other hacking incidents (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?).
A Kremlin spokesman in 2018 disputed NotPetya's Russian attribution, telling media that attributions to Moscow amounted to a "Russophobic campaign."
*Updated July 3, 2023 11:44 UTC to reflect Heritage Valley's statement that the ransomware incident involved NotPetya malware.