U.S. Healthcare Organisation Fined Nearly US$1bn Over 2017 Ransomware Incident


July 10, 2024 1:35 pm

The United States Department of Health and Human Services has handed down a hefty fine to the Pennsylvania-based Heritage Valley Health System over violations of the Health Insurance Portability and Accountability Act (HIPAA).

The fine follows an investigation into a ransomware attack on the healthcare provider in 2017.

The Department of Health and Human Services found that the Heritage Valley Health System failed to conduct a proper risk analysis of the data it was holding and how it was stored and did not have a proper contingency plan in place in case of such an attack. Nor did the organisation have a properly implemented user access policies in place.

In addition to the fine, Heritage Valley will be required to develop proper security policies in line with HIPAA rules, implement a risk management plan, and conduct a “thorough risk analysis” program.

The organisation’s progress will also be monitored by the Department of Health and Human Services’ Office for Civil Rights for a period of three years.

“Hacking and ransomware are the most common type of cyber attacks within the healthcare sector. Failure to implement the HIPAA Security Rule requirements leaves healthcare entities vulnerable and makes them attractive targets to cyber criminals,” Melanie Fontes Rainer, the director of the Office of Civil Rights, said in a statement.

“Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyber attacks.”

According to the Department of Health and Human Services, there has been a 264 per cent increase in ransomware reports filed with the Office of Civil Rights since 2018.