The U.S. Division of Well being and Human Companies Workplace for Civil Rights (OCR) continues to emphasize the significance of conducting danger analyses. OCR not too long ago introduced yet one more breach settlement — this time with an employer-sponsored group well being plan — and famous that it didn’t conduct an correct and thorough danger evaluation. That is the 14th enforcement motion in OCR’s Threat Evaluation Initiative.
The Biden administration launched the Threat Evaluation Initiative as a focused effort to cut back breaches tied to weak or non-existent danger analyses, based on cybersecurity and compliance firm Clearwater. “However below the Trump administration, the initiative has continued, with enforcement actions and expectations changing into extra express. Now below the management of OCR Director, Paula M. Stannard, it’s clear {that a} complete danger evaluation is significant in right now’s atmosphere, as ransomware and provide chain threats proceed to escalate,” the Clearwater description continued.
In the latest announcement, OCR described a settlement with Spencer Presents LLC Versatile Benefits and Welfare Benefit Plans, the employer-sponsored group well being plan of Spencer Presents LLC, a nationwide retail firm, over potential violations of the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) Privateness and Safety Guidelines.
“Efficient cybersecurity begins with Safety Rule compliance, guaranteeing that Safety Rule provisions are carried out earlier than a cyberattack happens,” stated Stannard in a press release. “Regulated entities — together with coated group well being plans — ought to guarantee these protections are firmly in place nicely earlier than a cyberattack happens, so the privateness and safety of people’ well being data stay safeguarded.”
OCR famous that the chance evaluation provision of the HIPAA Safety Rule requires regulated entities to conduct an correct and thorough evaluation of the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of digital PHI (ePHI) held by these organizations.
The settlement resolves an investigation that OCR initiated after the plan filed a breach report on January 24, 2022. The plan had obtained worker complaints that staff had been unable to connect with the digital non-public community. The plan found that in November 2021, an unauthorized actor accessed the corporate’s community and deployed ransomware, encrypting information on the corporate’s methods, together with servers storing the plan’s PHI, and demanding a ransom. The PHI of 10,023 people was doubtlessly affected by the breach, together with well being plan members’ names, addresses, zip codes, telephone numbers, electronic mail addresses, and Social Safety numbers.
OCR discovered that the plan had doubtlessly violated provisions of the Privateness and Safety Guidelines, together with:
• Failing to conduct an correct and thorough danger evaluation to find out the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the plan previous to the breach incident; and
• Failing to implement affordable and applicable insurance policies and procedures to adjust to the HIPAA Privateness, Safety, and Breach Notification Guidelines previous to the breach incident.
Beneath the phrases of the decision, the plan paid $450,000 and agreed to a two-year corrective motion plan monitored by OCR. Beneath the corrective motion plan, the plan has dedicated to:
• Conduct an correct and thorough danger evaluation to find out the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Overview and, to the extent vital, revise its present Privateness, Safety, and Breach Notification Rule insurance policies and procedures to adjust to the HIPAA Guidelines; and
• Be sure that all workforce members are educated with respect to its Privateness, Safety, and Breach Notification Rule insurance policies and procedures.
• Periodically conduct, and replace as wanted, a danger evaluation and develop and implement a danger administration plan to deal with recognized dangers to the confidentiality, integrity, and availability of ePHI.
• Guarantee audit controls are in place to file and look at data system exercise.
• Implement common overview of knowledge system exercise.
• Make the most of mechanisms to authenticate data to make sure solely licensed customers are accessing ePHI.
• Encrypt ePHI in transit and at relaxation to protect towards unauthorized entry to ePHI when applicable.
• Incorporate classes realized from incidents into the group’s total safety administration course of.
• Present workforce members with common HIPAA coaching that’s specific to the group and to the workforce members’ respective job duties.
In April 2026 OCR introduced settlements with 4 regulated entities following separate ransomware investigations. In every of those instances, the coated entities had been cited for not conducting thorough danger analyses.
The settlements comply with investigations into separate ransomware breaches that collectively affected over 427,000 people and concerned the publicity of unsecured ePHI. The varieties of ePHI affected embrace demographic information, Social Safety numbers (SSNs), monetary data, lab outcomes, drugs, and diagnoses or circumstances. Beneath the settlements, the regulated entities have agreed to implement corrective motion plans topic to OCR monitoring for 2 years and paid a complete of $1,165,000 to OCR.
