HHS Office for Civil Rights settles HIPAA ransomware cybersecurity investigation for $90,000

Nov. 1, 2024
Settlement with Bryan County Ambulance Authority marks OCR's 7th ransomware enforcement action and 1st enforcement action in OCR's Risk Analysis Initiative.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Bryan County Ambulance Authority (BCAA), a provider of emergency medical services in Oklahoma for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The settlement resolves an investigation concerning a ransomware attack on BCAA's information systems. The settlement also marks the first enforcement action in OCR's Risk Analysis Initiative. This enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).

In May 2022, OCR received a breach report concerning a ransomware incident that encrypted files on BCAA's network. BCAA determined that the encrypted files affected the protected health information of 14,273 patients. OCR's investigation determined that BCAA had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA's systems.

Under the terms of the resolution agreement, BCAA agreed to pay $90,000 and to implement a corrective action plan that will be monitored by OCR for three years. Under the corrective action plan, BCAA will take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Training its workforce on its HIPAA policies and procedures.

HHS release