HIPAA Blog

[ Thursday, January 09, 2025 ]

 

9th Ransomware Case: Virtual Private Network Solutions:  HHS has entered into a settlement agreement with a HIPAA business associate who was hit with a ransomware attack in 2021 that resulted in the encryption of PHI.  VPN Solutions provides data hosting and cloud services to HIPAA covered entities, and in October of 2021 was hit by a ransomware attack that resulted in encryption of data, including PHI of some covered entity clients.  There does not appear to have been any exfiltration of data, and this it is unclear whether this incident is really a "breach" under HIPAA (it may be a violation due because it was a failure of "accessibility," but not a "breach").  However, VPN Solutions reported it.  OCR's investigation discovered (surprise!) VPN Solutions had not done a sufficient risk assessment.  VPM Solutions agreed to pay a $90,000 fine, implement a corrective action plan, and agree to one year of OCR monitoring.

Resolution agreement can be found here.


Jeff [12:57 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template