top of page
Search

Healthcare ransomware: another HHS OCR settlement

  • Writer: Katarzyna  Celińska
    Katarzyna Celińska
  • 2 days ago
  • 2 min read

I have written many times that healthcare remains high on the attackers’ target list. At the same time, the sector still often shows a relatively low level of cyber maturity compared with the sensitivity of the data it protects and the criticality of the services it delivers.

 

The U.S. HHS , announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans following a ransomware incident affecting protected health information. OCR noted that this settlement marks its 20th ransomware enforcement action and the 14th enforcement action under OCR’s Risk Analysis Initiative.

 

 

According to HHS, the investigation started after a breach report filed in January 2022. The organization had received employee complaints that they could not connect to the VPN. It later discovered that an unauthorized actor had accessed the company’s network in November 2021, deployed ransomware, encrypted data on company systems, and affected servers storing the Plan’s PHI. The breach potentially affected 10,023 individuals, including names, addresses, phone numbers, email addresses and Social Security numbers.

 

Painting by rawpixel.com na Magnific


✅ OCR identified potential HIPAA Privacy and Security Rule issues, including failure to conduct an accurate and thorough risk analysis before the incident and failure to implement reasonable and appropriate HIPAA policies and procedures. The resolution included a $450,000 payment and a two-year corrective action plan monitored by OCR.

 

✅ HHS explicitly recommends that regulated entities identify where ePHI exists, how it enters, flows through and leaves systems, conduct and update risk analysis, implement risk management plans, maintain audit controls, review system activity, authenticate access, encrypt ePHI where appropriate and provide workforce training.

 

✅ The healthcare sector should therefore treat ransomware preparation as a core governance and resilience issue.

 

A mature approach should include:

➡️ accurate ePHI inventory,

➡️ risk analysis and risk management,

➡️ tested incident response plans,

➡️ backup and recovery validation,

➡️ identity and access controls,

➡️ network segmentation,

➡️ endpoint protection and monitoring,

➡️ vendor and business associate risk management,

➡️ workforce training,

➡️ evidence that controls actually operate.


 
 
 

Stay in touch

META FOR MENA Information Technology Consultants Est.

City Avenue, 7th floor, office 706-0114

2 27 Street, Port Saeed, Deira, Dubai, United Arab Emirates
P.O. BOX: 40138
Licence N.O.: 1049080

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page