Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Category: HIPAA Compliance Fines

Change Healthcare Cyberattack

Posted bySuze Shaffer

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter about the Change Healthcare cyberattack. OCR also opened an official investigation. The attack affects Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare organizations.

The cyberattack has disrupted health care and billing operations nationwide. It poses a direct threat to patient care and critical health system functions.

OCR enforces HIPAA Privacy, Security, and Breach Notification Rules. These rules require covered entities and business associates to protect patient data and to notify HHS and affected individuals after a breach.

Cyberattacks remain the top threat in healthcare. In the past five years, large breaches involving hacking increased 256%. Ransomware attacks rose 264%. In 2023, hacking caused 79% of all large breaches, affecting 134 million people, a 141% increase from 2022.

Given the unprecedented size of this cyberattack, OCR has launched an investigation to protect patients and healthcare providers. The investigation will examine whether a breach of protected health information occurred and whether Change Healthcare and UHG complied with HIPAA Rules.

OCR considers its review of other entities connected to Change Healthcare and UHG as secondary. While OCR is not prioritizing investigations of providers, health plans, or business associates impacted by the attack, it is reminding all partners of their obligations. Entities must maintain business associate agreements and provide timely breach notifications to HHS and affected individuals as HIPAA requires.

Safeguarding protected health information remains OCR’s top priority. To support this effort, OCR is sharing resources to help organizations protect record systems and patients from cyberattacks.

OCR HIPAA Security Rule Guidance Material This webpage offers educational resources on the HIPAA Security Rule and standards for protecting electronic protected health information (ePHI). Resources include a Recognized Security Practices video, the Security Rule Education Paper Series, HIPAA Security Rule guidance documents, OCR Cybersecurity Newsletters, and more.

OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks – This video explains how the HIPAA Security Rule helps covered entities and business associates defend against cyberattacks. It covers breach trends, common attack methods, and key findings from OCR investigations.

OCR Webinar on HIPAA Security Rule Risk Analysis Requirement – This webinar explains the HIPAA Security Rule requirements for performing a complete risk assessment of potential threats and vulnerabilities to electronic protected health information (ePHI). It also reviews common risk analysis deficiencies that OCR has found during its investigations.

HHS Security Risk Assessment Tool – This tool helps small- and medium-sized entities perform an internal security risk assessment to meet the HIPAA Security Rule’s risk analysis requirements. You must also create and implement the policies and forms required in this tool.

Factsheet: Ransomware and HIPAA – This resource explains what ransomware is, outlines steps covered entities and business associates must take if their systems are infected, and details HIPAA breach reporting requirements.

Green Ridge Behavioral Health is Second Ransomware Settlement

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

  • No complete risk analysis of electronic PHI.
  • No effective security measures to reduce risks.
  • No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

  • Conduct a full risk analysis.
  • Create a risk management plan.
  • Update policies and procedures.
  • Train its workforce on HIPAA.
  • Audit third-party vendors and ensure business associate agreements.
  • Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends providers and business associates:

  • Regularly perform risk analysis and risk management.
  • Monitor and audit system activity.
  • Use multi-factor authentication and encryption.
  • Ensure strong vendor agreements.
  • Provide frequent, role-specific workforce training.
  • Apply lessons from past incidents.

Montefiore Medical Center fined $4.75M for Malicious Insider

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City hospital system. The settlement resolves multiple potential HIPAA Security Rule violations.

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA requires health care providers, insurers, and other entities to protect the privacy and security of patient information.

Montefiore failed to safeguard its systems. An employee stole and sold the protected health information (PHI) of 12,517 patients over six months. Montefiore reported the breach after the NYPD uncovered the theft in 2015.

OCR’s investigation found Montefiore failed to:

  • Analyze and identify risks to PHI.
  • Monitor activity on its information systems.
  • Implement effective policies and procedures.

Because of these failures, Montefiore did not prevent or detect the attack until years later.

Settlement Terms

Montefiore must pay $4.75 million and follow a Corrective Action Plan (CAP). The CAP requires Montefiore to:

  • Conduct a complete risk analysis.
  • Develop and implement a risk management plan.
  • Install monitoring systems to record and review PHI activity.
  • Review and update HIPAA policies and procedures.
  • Train staff on HIPAA requirements.

OCR will monitor Montefiore for two years.

Key Quotes

OCR Director Melanie Fontes Rainer said:
“Cyber-attacks from malicious insiders are not uncommon. The risks to patient information cannot be ignored. Health care systems must follow the law and act quickly to protect records.”

HHS Deputy Secretary Andrea Palm added:
“Patients must trust providers to protect their records. Our priority remains safeguarding patients and ensuring providers implement strong security policies.”

OCR reported that 134 million people were affected by large breaches in 2023, compared to 55 million in 2022. OCR urges health care providers, health plans, and business associates to:

  • Conduct regular risk analyses.
  • Monitor information system activity.
  • Use multi-factor authentication.
  • Encrypt PHI.
  • Train staff frequently.
  • Update policies based on lessons learned from incidents.

OCR continues to provide training, newsletters, and webinars to help the health care sector strengthen data privacy and cybersecurity.

Patient Right of Access delays cost Optum Medical Care $160K

Posted bySuze Shaffer

On December 15, 2023 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $160,000 settlement with Optum Medical Care of New Jersey (formerly Riverside Medical Group).

OCR received six complaints in 2021 that Optum failed to provide patients or parents with timely access to medical records. Records took between 84 and 231 days to be delivered—well beyond HIPAA’s 30-day Right of Access requirement.

OCR investigated in 2022 and found that Optum violated the HIPAA Right of Access provision. Optum agreed to pay $160,000 and implement a corrective action plan. The plan requires policy revisions, staff training, and regular reporting to OCR. OCR will monitor Optum for one year.

OCR Director Melanie Fontes Rainer emphasized:
“Access to medical records is a fundamental HIPAA right. Providers must respond to requests quickly and empower patients to make informed decisions about their care.”

This case marks OCR’s 46th Right of Access enforcement action.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC