[ Tuesday, July 08, 2025 ]
Let's catch up on some recent HIPAA enforcement actions:
Deer Oaks, a HIPAA covered healthcare provider that provides behavioral health services primarily to residents in nursing homes and other facilities, misconfigured its IT systems to allow discharge summaries of 35 patients to be accessible online. A few months later, Deer Oaks suffered a ransomware attack that affected the PHI of 171871 patients. The hacker demanded a ransom payment, but it's not clear if Deer Oaks paid or not. Deer Oaks did report the incidents to OCR, and as part of its investigation, OCR determined that Deer Oaks didn't do an effective risk assessment (shocking, no?). Ultimately, in July 2025 OCR fined Deer Oaks $225,000 and implemented a 2-year monitored corrective action plan.
BayCare Health System in Florida reached a settlement with OCR in May 2025 regarding complaints about impermissible access to its electronic PHI. It seems a former staffer at a physician practice was able to get access to the BayCare medical record system, and sent a BayCare patient copies of her medical records (along with a video showing the hacker scrolling through her computerized records). OCR found that BayCare's policies and procedures weren't sufficient, and specifically that BayCare did not audit system activity sufficiently. In addition to 2 years of monitoring, BayCare was fined $800,000. At least OCR didn't point out a failure to conduct a risk assessment (although the monitoring plan specified the performance of a new risk assessment).
Also in May 2205, OCR settled a ransomware incident with Comstar, a Massachusetts ambulance billing and collection company. Business Associates must do risk assessments too, and Comstar didn't. When a hacker got into the system and encrypted the PHI of over 500,000 people, OCR determined that the lack of a risk assessment contributed to the incident. Two years of monitoring and $75,000 were the result. Risk analysis, policies and procedures, audit controls, system activity review, encryption and training all would help.
In July 2025, OCR settled another ransomware case, this time involving a Syracuse (NY) ambulatory eye surgery center. PYSA ransomware was used to encrypt the PHI of about 25,000 patients, and OCR determined that the ASC had never conducted a risk assessment. In addition to a $250,000 fine, the ASC will certainly be doing a risk assessment -- and other HIPAA activities during its 2-year monitoring plan.
Jeff [7:38 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
