Privacy & Information Security Law Blog

On October 3, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a monetary penalty of $240,000 against Providence Medical Institute (“Providence”) stemming from violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule in relation to a series of ransomware attacks against a California orthopedics practice acquired by Providence in 2016. Providence, an interstate network of medical providers headquartered in California and Washington, acquired the Center for Orthopaedic Specialists (“COS”) in July 2016 but did not integrate COS into Providence IT infrastructure until 2019. According to OCR, COS sustained a series of ransomware attacks in 2018, resulting in the compromise of 85,000 individuals’ electronic protected health information (“PHI”). Providence reported the breaches to OCR in April 2018.

OCR’s subsequent investigation into Providence revealed multiple cybersecurity and privacy issues, including “unsupported and obsolete” operating systems, improperly configured firewalls, and generic credential sharing among COS personnel. OCR ultimately found Providence was liable for two violations of the HIPAA Security Rule, including failure to put in place a business associate agreement and failure to implement necessary policies and procedures to limit electronic PHI access to only authorized persons or software programs. OCR initially issued a Notice of Proposed Determination in March 2024, seeking to impose a civil monetary penalty, which Providence did not contest. Accordingly, OCR issued a Notice of Final Determination to Providence in July 2024.

OCR, in its announcing the penalty, highlighted the significant rise in large ransomware incidents reported to OCR since 2018 (an increase of 264%), a point it has made in several press releases in recent months. OCR also stressed the importance of HIPAA-covered entities taking steps to prevent and mitigate cyber threats and provided a list of recommendations for doing so, including vendor diligence and risk management processes. This penalty marks the fifth OCR enforcement action relating to ransomware incidents.