The HHS’ Office for Civil Rights (OCR) has reported its first HIPAA enforcement for 2025 to settle alleged HIPAA Rules violations. Electronic medical records and billing support services provider, Elgon Information Systems based in Massachusetts, paid an $80,000 penalty to settle the investigation. This is the 8th investigation by OCR of a data breach involving ransomware and it is the second enforcement action involving its risk analysis enforcement initiative.
On March 31, 2023, Elgon Information Systems discovered an attack after finding a ransom note requiring payment. The internal investigation showed that the ransomware group acquired access to its system on March 25, 2023, via the open ports on its firewall. The threat actors accessed the electronic protected health information (ePHI) of 31,248 people which include names, addresses, birth dates, driver’s license numbers, Social Security numbers, and clinical data like diagnoses, medical conditions, and prescription drugs.
OCR’s investigation confirmed that Elgon Information Systems did not perform a detailed and accurate risk analysis. If it did, the open ports on the firewall must have been found and resolved. Besides paying the penalty of $80,000, Elgon Information Systems needs to implement a corrective action plan that includes checking and updating its risk analysis and business risk management strategy, checking and updating its guidelines and procedures for ensuring HIPAA Privacy and Security Rules compliance and giving HIPAA employee training on HIPAA guidelines and procedures. OCR will supervise Elgon Information Systems for 3 years to ensure compliance with the HIPAA Regulations.
OCR had a busy 2024 because of its HIPAA enforcement initiatives. OCR Director, Melanie Fontes Rainer stated that OCR finished 22 investigations involving HIPAA-covered entities in 2024 and issued corresponding penalties for HIPAA violations. Of the 22, 17 had been publicized. OCR collected over $9.9 million in civil monetary penalties and settlements.
OCR’s recent proposal to update the HIPAA Security Law aims to deal with risk analysis noncompliance. The OCR HIPAA compliance audits conducted in 2016-2017 discovered that the majority of audited HIPAA-covered entities did not fully comply with the requirement of risk analysis and risk management under the HIPAA Security Rule. Moreover, failure to conduct accurate risk analysis is frequently discovered during data breach investigations. A HIPAA-compliant risk analysis is a requirement under the law and is important to achieve effective cybersecurity. It is the best protection against cyberattacks, for instance, hacking and ransomware attacks. It helps to assess potential risks and vulnerabilities to ePHI.
The HIPAA rule states that a comprehensive and accurate risk analysis should be performed to find all risks and vulnerabilities to ePHI, however, the HIPAA Rule doesn’t say what a risk analysis should involve. The proposed HIPAA Security Rule update gives more specific requirements for the risk analysis, making clear that HIPAA-covered entities must make and manage a precise inventory of technology resources, identify how ePHI flows through their data systems, and determine the areas within their data systems (or parts thereof) where ePHI are generated, received, stored, or transmitted. By doing so, it will be possible to determine the risks and vulnerabilities of ePHI correctly.