US Department fines Providence Medical Institute $240,000 after ransomware attacks
October 8, 2024 |
In the United States the fines for breaches of data security can be quite heavy, much heavier than in Australia. Like Australia there is more than one regulator that can take action against organisations on various grounds for breaches of data security. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced, found here, the notice of final determination finaliising a civil penalty of $240,000 against Providence Medical Institute for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules, following a ransomware attack breach report investigation. The final determination is found here.
As can be the way, the background has quite a long history. In July 2016, Providence acquired the Center for Orthopedic Specialists and initiated a two-year transition plan linking the Center for Orthopedic Specialists IT system into Providence’s IT structure. In April 2018 Providence filed a breach report which resulted into an investigation. The breach report concerned the unauthorized access and encryption of the Center for Orthopedic Specialists’ systems on February 18, 2018, February 25, 2018, and March 4, 2018. The attacks compromised the electronic protected health information (ePHI) of 85,000 individuals and included:
- names;
- addresses;
- dates of birth;
- driver’s license numbers;
- Social Security Numbers (SSNs);
- lab results;
- medication;
- treatment information;
- credit card information;
- bank account numbers; and
- other financial information.
The investigation determined that Providence:
- did not have a proper business agreement with the IT vendor of the Center for Orthopedic Specialists as required during its acquisition of the Center for Orthopedic Specialists.
- failed to implement required technical policies and procedures for Center for Orthopedic Specialists systems that maintain ePHI to prevent unauthorized access.
Integrating IT systems can be a difficult process at the best of times. From a data security perspective it commonly results in vulnerabilities both in terms of the software but also authentication issues.