The U.S. Division of Well being and Human Companies Workplace for Civil Rights (OCR) continues to emphasize the significance of conducting danger analyses. OCR just lately introduced yet one more breach settlement — this time with an employer-sponsored group well being plan — and famous that it didn’t conduct an correct and thorough danger evaluation. That is the 14th enforcement motion in OCR’s Danger Evaluation Initiative.
The Biden administration launched the Danger Evaluation Initiative as a focused effort to cut back breaches tied to weak or non-existent danger analyses, in response to cybersecurity and compliance firm Clearwater. “However beneath the Trump administration, the initiative has continued, with enforcement actions and expectations changing into extra express. Now beneath the management of OCR Director, Paula M. Stannard, it’s clear {that a} complete danger evaluation is significant in right this moment’s surroundings, as ransomware and provide chain threats proceed to escalate,” the Clearwater description continued.
In the newest announcement, OCR described a settlement with Spencer Presents LLC Versatile Benefits and Welfare Benefit Plans, the employer-sponsored group well being plan of Spencer Presents LLC, a nationwide retail firm, over potential violations of the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) Privateness and Safety Guidelines.
“Efficient cybersecurity begins with Safety Rule compliance, guaranteeing that Safety Rule provisions are applied earlier than a cyberattack happens,” mentioned Stannard in an announcement. “Regulated entities — together with coated group well being plans — ought to guarantee these protections are firmly in place properly earlier than a cyberattack happens, so the privateness and safety of people’ well being data stay safeguarded.”
OCR famous that the danger evaluation provision of the HIPAA Safety Rule requires regulated entities to conduct an correct and thorough evaluation of the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of digital PHI (ePHI) held by these organizations.
The settlement resolves an investigation that OCR initiated after the plan filed a breach report on January 24, 2022. The plan had acquired worker complaints that workers have been unable to connect with the digital non-public community. The plan found that in November 2021, an unauthorized actor accessed the corporate’s community and deployed ransomware, encrypting information on the corporate’s techniques, together with servers storing the plan’s PHI, and demanding a ransom. The PHI of 10,023 people was probably affected by the breach, together with well being plan members’ names, addresses, zip codes, cellphone numbers, e mail addresses, and Social Safety numbers.
OCR discovered that the plan had probably violated provisions of the Privateness and Safety Guidelines, together with:
• Failing to conduct an correct and thorough danger evaluation to find out the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the plan previous to the breach incident; and
• Failing to implement cheap and acceptable insurance policies and procedures to adjust to the HIPAA Privateness, Safety, and Breach Notification Guidelines previous to the breach incident.
Beneath the phrases of the decision, the plan paid $450,000 and agreed to a two-year corrective motion plan monitored by OCR. Beneath the corrective motion plan, the plan has dedicated to:
• Conduct an correct and thorough danger evaluation to find out the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Evaluate and, to the extent mandatory, revise its present Privateness, Safety, and Breach Notification Rule insurance policies and procedures to adjust to the HIPAA Guidelines; and
• Make sure that all workforce members are educated with respect to its Privateness, Safety, and Breach Notification Rule insurance policies and procedures.
• Periodically conduct, and replace as wanted, a danger evaluation and develop and implement a danger administration plan to deal with recognized dangers to the confidentiality, integrity, and availability of ePHI.
• Guarantee audit controls are in place to report and study data system exercise.
• Implement common overview of data system exercise.
• Make the most of mechanisms to authenticate data to make sure solely approved customers are accessing ePHI.
• Encrypt ePHI in transit and at relaxation to protect towards unauthorized entry to ePHI when acceptable.
• Incorporate classes discovered from incidents into the group’s general safety administration course of.
• Present workforce members with common HIPAA coaching that’s specific to the group and to the workforce members’ respective job duties.
In April 2026 OCR introduced settlements with 4 regulated entities following separate ransomware investigations. In every of those circumstances, the coated entities have been cited for not conducting thorough danger analyses.
The settlements comply with investigations into separate ransomware breaches that collectively affected over 427,000 people and concerned the publicity of unsecured ePHI. The kinds of ePHI affected embody demographic information, Social Safety numbers (SSNs), monetary data, lab outcomes, drugs, and diagnoses or situations. Beneath the settlements, the regulated entities have agreed to implement corrective motion plans topic to OCR monitoring for 2 years and paid a complete of $1,165,000 to OCR.
