Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH

Doctor Hit With $500K HIPAA Fine: Feds Worse Than Hacker

Plastic Surgeon Paid $53K Ransom But Says ‘the Real Criminal’ Is HHS
Doctor Hit With $500K HIPAA Fine: Feds Worse Than Hacker
Dr. James Breit, owner, Plastic Surgery Associates of South Dakota (Image: Plastic Surgery Associates of South Dakota)

Dr. James Breit, owner of a South Dakota plastic surgery clinic, recalled the day a hacker locked up nine workstations and two servers with ransomware. He ended up paying $53,000 in ransom to access the data, and he claims no data was stolen. Nearly, seven years later, after paying a $500,000 HIPAA fine, Breit alleges he got better treatment from the cybercriminals than he did federal regulators.

See Also: Preparing for New Cybersecurity Reporting Requirements

"Our insurance company thankfully paid the settlement amount. In the end, at least the cyber terrorist fulfilled their part of the deal when they were paid the ransom," Breit told Information Security Medical Group. "The real criminal in the situation is our very own government, whom we pay taxes to protect us from this stuff, but instead of going after the attackers, they go after the victims and fine them 10 times more than what the criminals obtained, for an incident in which no patient information was ultimately compromised."

His cosmetic surgery practice, Plastic Surgery Associates of South Dakota, which has two surgeons and seven other clinicians in Central Sioux Falls, was one of two providers that recently agreed to pay a total of $590,000 in fines to the Department of Health and Human Services' Office for Civil Rights in the agency's 6th and 7th HIPAA enforcement action to date involving ransomware breaches.

The enforcement agency cited ransomware incidents as a top HIPAA priority last year when it settled its first such case with a Massachusetts-based medical management services firm (see: Feds Levy First Ever HIPAA Fine for Ransomware Data Breach).

Since 2018, the number of in large breaches involving ransomware attacks reported to HHS OCR has grown 264% since 2018.

"Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information," said Melanie Fontes Rainer, director of HHS OCR.

"Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to breakdowns in our healthcare system."

Under the resolution agreement that HHS OCR disclosed on Thursday, the cosmetic surgery practice, must pay the $500,000 fine and take steps to improve its data security practices following a breach report submitted to the federal agency on July 27, 2017, involving a ransomware incident affecting 10,229 people.

Breit said the ransomware incident was "very frustrating on multiple levels," including what he claims played out after the practice filed its breach report.

"None of our patients' information was leaked, they encrypted it from us, so that we could not use it," he said. "We ended up paying the ransom of around $53,000 to get the information back securely. We also reported this incident to the OCR, thinking ignorantly that they would provide assistance or maybe go after the attackers. Instead, they documented everything that we had done to mitigate the situation, but provided no assistance."

An investigation of the incident, found that threat actors obtained the credentials used to access PSASD’s network through a brute force attack to PSASD’s remote desktop protocol, the HHS OCR resolution agreement with the practice said.

"After discovering the breach, PSASD was unable to restore the affected servers from backup, and PSASD made two bitcoin ransom payments in the sum of $27,399.97 to the hackers in exchange for decryption keys for its patients’ protected health information," the resolution agreement said.

HHS' Office for Civil Rights said its investigation into the PSASD breach report discovered "significant noncompliance" with the HIPAA rules.

That included PSASD's failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all its electronic protected health information.

HHS OCR also found PSASD failed to implement security measures sufficient to reduce risks and vulnerabilities; to establish and implement policies and procedures for regularly reviewing activity on its information systems containing ePHI; and to implement policies and procedures to address security incidents.

PSASD's corrective action plan calls for the practice to implement a long list of measures to correct those HIPAA deficiencies.

Breit alleges that HHS OCR "waited six years to inform us that we had areas that were still weak in our newly implemented cybersecurity plan." In the meantime, the calculated daily fines over the six years eventually hit "over $1 million in fines," he said.

"The lawyer we used was chosen by the insurance company and did a subpar job, in my opinion, negotiating this down and never informed us of the final pay out until after he had signed the agreement," he said.

Breit said the settlement amount of $500,000 also included a guarantee from the OCR that the agency would provide technical assistance in any areas that were deemed deficient in the practice's cybersecurity policy. "We have already corrected those, and to my knowledge we have no ongoing issues," he said.

HHS OCR did not immediately respond to ISMG's request for comment on Breit's claims.

County Ambulance Provider Incident

Under the second HIPAA settlement also announced Thursday, Bryan County Ambulance Authority, a government entity in Bryan County, Oklahoma that provides emergency medical services, has agreed to pay HHS OCR a $90,000 fine and bolster its security practices following a November 2021 ransomware attack that BCAA reported to the agency as affecting 14,273 people.

HHS OCR said that on May 18, 2022, it received from BCAA a breach report about a Nov. 24, 2021, ransomware infection that encrypted files on BCAA's network.

BCAA determined the affected files contained the ePHI of approximately 14,273 patients.

HHS' investigation into the breach found that BCAA had never conducted a HIPAA security risk analysis.

Under BCAA's corrective action plan, the EMS provider must implement a long list of improvements to its security risk management program, including conducting a thorough and timely HIPAA security risk analysis that must be updated annually.

Nate Toews, deputy director of Bryan County EMS, in a statement to ISMG said that in November 2021, "BCAA, like many other municipalities and healthcare-related organizations across our country, was the victim of a cybersecurity attack."

Since then, "BCAA is making to bolster safeguards and to introduce additional measures to prevent a similar event from occurring again in the future," he said.

In the meantime, the failure to conduct a HIPAA Security Rule risk analysis "leaves healthcare entities vulnerable to cyberattacks, such as ransomware," Fontes Rainer said.

"Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA,” she said.

Besides falling under HHS OCR's ransomware breach enforcement action initiative, the settlement with BCAA is also the agency's first official action taken under its recently launched Risk Analysis Initiative, Fontes Rainer said.

"OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this HIPAA security rule requirement," she said.

Last week during a HIPAA Summit hosted by HHS and the National Institute of Standards and Technology, HHS OCR officials hinted that security risk analysis might also be the focus of a proposed update to the 20-year-old HIPAA Security Rule, which is under review by the White House's Office of Management and Budget (see: White House Reviewing Updates to HIPAA Security Rule).

"We have a better sense of what's needed in the healthcare system, and so obviously risk analysis is something that continues to come up. So, I would expect it would be an area that would be somewhat covered because it is an area we continue to see issues in how it's implemented," Fontes Rainer told reporters during a briefing at the summit (see: What's in Store for HIPAA Regulations).

HHS OCR expects to publish the notice of proposed rulemaking for the HIPAA Security Rule update in December and provide 60 days for public comment.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.