Ransomware Hat Trick: OCR Scores Three Major Enforcement Actions in 2024

Ransomware attacks are a growing threat in the health care sector due to the value of personal health information (PHI). In addition to being expensive, these attacks can cripple health care operations, delay patient care, and cause serious reputational damage. Moreover, ransomware attacks can trigger compliance issues with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which can result in hefty penalties.

Here's the HIPAA hat trick: on October 3, 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 monetary penalty against Providence Medical Institute in response to a ransomware attack. This was the third ransomware-related action in 2024. OCR announced a $250,000 settlement on September 26, 2024, as well as a $950,000 settlement on July 1, 2024, both of which were triggered by ransomware attacks. HAT TRICK!!!

The 2024 matters are consistent with the ever-increasing risk of ransomware attacks. In fact, 2024 has already been a watershed year, with a 264% increase in OCR ransomware enforcement actions since the first ransomware action in 2018.

Lest it appear that OCR is harshly punishing entities for being the victims of a ransomware attack, the enforcement actions pertain to the entity’s HIPAA compliance overall. The attacks trigger audits of overall compliance, the results of which trigger penalties. Specifically, all breaches must be reported, and OCR is required to investigate any breach that affects 500 or more individuals. While entities may not be able to stop ransomware attacks themselves, investigations resulting from these events may serve as a point of entry for OCR to identify other areas of noncompliance with HIPAA.

Significantly, even if an entity’s existing security measures were appropriate under the circumstance and would not have been able to prevent an attack, a post-breach audit may reveal that the entity is neglecting other aspects of HIPAA’s Privacy, Security, and Breach Notification Rules, such as failure to conduct regular and thorough risk assessments, inadequate security measures, and ineffective breach response. Because these investigations often go beyond the initial breach, enforcement actions and settlements often address multiple areas of noncompliance, resulting in financial penalties and required corrective action plans.

Thus, even if an entity could not have prevented a ransomware attack, it can be subject to substantial penalties for aspects of HIPAA compliance that it can control. OCR’s increased rate of enforcement actions serve as a warning to health care entities to diligently implement security measures, create a culture of compliance, and proactively protect PHI.

Consistent with its proactive approach to compliance, OCR recently released a video with various ransomware prevention recommendations. Spoiler alert: fundamental Security Rule compliance is, itself, ransomware prevention.