Enter to open, tab to navigate, enter to select
Malware Cyberattack Leads to $875, 000 HIPAA Settlement
Practical Law Legal Update w-036-2914 (Approx. 7 pages)
Malware Cyberattack Leads to $875,000 HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 18 Jul 2022 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a research university's health sciences center (and HIPAA covered entity). The university will pay $875,000 to settle the potential violations and must take corrective measures that include a comprehensive risk analysis and risk management plan.
On July 14, 2022, HHS issued a resolution agreement and related press release announcing a settlement with a research university for potential violations of HIPAA's privacy, security, and breach notification rules (see HIPAA Privacy, Security, and Breach Notification Toolkit). The enforcement action involved the university's health sciences center (a HIPAA covered entity (CE)) that trains health providers and furnishes preventive, rehabilitative, and diagnostic health care services. HHS began its investigation after the university submitted a breach notification to the agency in January 2018 regarding an incident that occurred a few months earlier (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations). The university will pay $875,000 to settle the potential violations and must adopt a corrective action plan and risk management plan.
Investigation Reveals Prior Attack and Unauthorized Access to ePHI
According to the university's January 2018 breach report, the ePHI of nearly 280,000 patients was obtained when a hacker gained access to the health sciences center's web server by uploading malware. As a result, the hacker accessed stored folders on the server that included the patients' names, Medicaid numbers, health provider names, dates of service, dates of birth, addresses, and treatment information. After submitting its January 2018 breach report, the university also discovered (and reported to HHS) that an unauthorized user had previously accessed the same server in 2016. At the time of the earlier breach, however, the university stated that it was unaware that ePHI was stored on the server.
HHS's resulting investigation indicated that the university failed to comply with HIPAA privacy, security, and breach notification requirements involving:
- Permitted uses and disclosures of PHI (see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information).
- Security incident response and reporting (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Incident Procedures).
- Risk analysis and evaluation (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Management Process).
- Implementation of audit controls, security incident responses, and reporting.
- Providing timely breach notification to affected individuals and HHS (see Practice Note, HIPAA Breach Notification Rules).
Under its resolution agreement with HHS, the university must make an $875,000 to the agency. In addition, the university must:
- Comply with a corrective action plan (CAP) that HHS characterized as "robust" (see Corrective Action Plan).
- Submit annual reports, for a two-year period, that detail the status of the university's compliance with the CAP.
- Retain all documents and records regarding CAP compliance for six years.
Corrective Action Plan Addresses Security Management and Policies
The CAP contains several requirements related to the security management process provisions of HIPAA's Security Rule. For example, the CAP requires the university to:
- Perform a comprehensive, enterprise-wide risk analysis of the security threats and vulnerabilities of all ePHI created, received, maintained or transmitted by the university's health sciences center (including all electronic media, workstations, and information systems that are owned or leased by the center that store or can access ePHI).
- Develop a risk management plan to address and mitigate any security threats and vulnerabilities identified in its risk analysis.
- Timely submit its risk analysis and risk management plan to HHS for approval and make revisions required in response to HHS's review.
The university can use either its own resources or a third-party vendor to conduct the required risk analysis and risk management plan.
CAP Requirements Involving HIPAA Policies and Procedures
The CAP also requires the university to develop and revise (as necessary) its written policies and procedures to:
- Comply with HIPAA's privacy and security rules.
- Address any threats and vulnerabilities to the ePHI identified in the university's risk analysis and risk management plan.
- Provide for furnishing timely HIPAA breach notification to affected individuals.
- Obtain HHS's approval of the university's revised policies and procedures.
The university must also:
- Distribute its policies and procedures and training materials to its workforce and revise those documents as needed.
- Update its training materials and train each workforce member who has access to PHI (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
- Workforce members must certify to having received HIPAA training.
Independent Monitoring Requirements
The CAP also contains numerous requirements related to use of an independent monitor to evaluate the university's CAP compliance. For example, the CAP requires the university to timely appoint an independent monitor having requisite experience in HIPAA Security Rule compliance to:
- Review the university's adherence to the CAP.
- Retain and submit to HHS (on request) documentation reflecting the monitor's reviews.
- Prepare a quarterly report of its reviews of the university's CAP compliance programs.
- Immediately report any significant violations of the CAP by the university to HHS.
If the university wishes to terminate the independent monitor (during the course of the CAP) it must submit to HHS a notice explaining why before termination and timely appoint a new monitor. The CAP also authorizes HHS to conduct its own reviews of CAP compliance (for example, if HHS believes the monitor's reviews are deficient).
Practical Impact
In recent years, HHS's has begun imposing independent monitoring requirements (similar to the ones in this latest settlement agreement) that provide an additional layer of oversight to the CAP process (see Legal Update, HHS HIPAA Security Rule Settlement Imposes Extensive Independent Monitoring Requirements). These provisions usually allow HHS to address the independent monitor's own performance (for example, by unilaterally requiring a CE to replace a monitor that, in HHS's view, is not adequately carrying out its duties).
It should also be noted that 2021 legislation requires HHS, in enforcing HIPAA, to consider whether a HIPAA CE or business associate has implemented and applied certain recognized security practices (if in place for the prior 12 months)—including with regard to cybersecurity (see Article, HIPAA Enforcement: Use of Recognized Security Practices, Including for Cybersecurity). (According to an HHS press release, this legislation became effective when the 2021 legislation was signed into law on January 5, 2021.) The university's health sciences center (as a HIPAA CE) could have made itself less vulnerable to a cyberattack by—among other things—knowing where ePHI was stored on its information systems.