$950,000 Paid by Heritage Valley Health System to Resolve Alleged HIPAA Violations

The 3-hospital health system has over 50 doctor clinics and numerous community satellite services in eastern Ohio, Pennsylvania, and the panhandle of West Virginia.

In 2017, Heritage Valley was impacted by a worldwide malware attack. The NotPetya malware was installed on its system because of a connection with Nuance Communications, its business associate. OCR investigated Heritage Valley in October 2017 after the media reported a data security incident to find out if Heritage Valley complies with the HIPAA Security Rule requirements.

As per OCR’s investigation, Heritage Valley had failed in multiple Security Rule compliance, such as the following

  • 45 C.F.R. § 164.308(a)(1)(ii)(A) – not able to perform a comprehensive risk analysis to determine possible threats and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI).
  • 45 C.F.R. § 164.308(a)(7) – the covered entity failed to create and enforce a backup plan for addressing an emergency that compromises systems that contain ePHI.
  • 45 C.F.R. § 164.308(a)(4) and 164.312(a)(1)) – inability to impose technical guidelines and procedures for electronic data systems that hold ePHI allowing only access by authorized individuals or software programs

Ransomware groups are targeting the healthcare sector causing a 264% increase of ransomware-related data breaches since 2018. Healthcare providers that are completely HIPAA Security Rule compliant can minimize the chance of a ransomware attack being successful and can restrict the damage caused in case of a successful attack.

Besides the financial penalty, Heritage Valley has consented to put in place a corrective action plan, which will be under the supervision of OCR for three years. The corrective action plan consists of

  • performing comprehensive risk analysis
  • developing a risk management plan to minimize identified threats and vulnerabilities
  • evaluate, create, maintain, and modify Heritage Valley’s written guidelines and procedures to be compliant with the HIPAA Rules give employee training about HIPAA policies and procedures

Hacking incidents and ransomware attacks are prevalent within the healthcare industry. The inability to comply with the HIPAA Security Rule requirements makes healthcare entities vulnerable and appealing targets to cyber criminals. Protecting the patient’s protected health data safeguards privacy and assures continuing care, which is a healthcare provider’s number one priority.

This is OCR’s third HIPAA penalty enforced due to a ransomware attack and the fifth HIPAA enforcement action in 2024 with a financial penalty.

OCR is telling all HIPAA-covered entities of their accountabilities under the HIPAA Security Rule to do something to minimize or avoid cyber risks. These consist of:

  • Going over relationships with business associates, making sure to sign a business associate agreement (BAA), and handling data breach and security incident responsibilities
  • Combining risk analysis and risk management into business procedures, and performing risk analyses with technologies
  • Making sure an audit trail is kept and data system activity is frequently examined
  • Encrypting ePHI to avoid unauthorized access and applying multifactor authentication on accounts
  • Giving regular training to the employees and job obligations and rewarding the role of members of the workforce regarding privacy and security
  • When security incidents happen, integrate the lessons realized into the security administration process.

Photo credits: SizeSquare’s; AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.