A U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigation into a series of ransomware attacks against an orthopedic group has left Providence Medical Institute with a $240,000 civil monetary penalty.
$240K Fine for Ortho Group Ransomware Attack
2 min read Premium comments
Secondary
Providence Medical Institute is a California-based physician services organization with 275 providers who work in 35 medical offices throughout Southern California. In 2016, Providence Medical Institute acquired Center for Orthopaedic Specialists, a California-based orthopedic group.
After the acquisition, Center for Orthopaedic Specialists began to transition to Providence Medical Institute’s network. Before the transition was complete, Center for Orthopaedic Specialists was hit with three ransomware attacks, all by the same attacker over three consecutive Sundays.
According to the OCR findings of fact, the compromised data included electronic protected health information (ePHI) belonging to 85,000 individuals. Additionally, the OCR found, the compromised information included:
- “names,
- addresses,
- dates of birth,
- driver’s license numbers,
- Social Security numbers,
- lab results,
- medications,
- treatment information,
- credit card information,
- bank account numbers, and other financial information.”
According to an HHS press release, “OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.” Providence Medical Institute did not contest OCR’s findings or the civil monetary penalty of $240,000.
In the HHS press release, OCR Director Melanie Fontes Rainer commented, “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information.”
Rainer continued, “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”
Ransomware attacks and hacking are a serious issue for the health care industry. According to the HHS press release, “there has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.”
This threat should not come as a surprise to OTW readers. OTW has covered countless cyberattacks against orthopedic groups and others in the medical industry. For OTW’s previous coverage of cyberattacks, see “Who Pays for a Data Breach?,” “Bienville Orthopaedic Specialists Sued Over Data Breach,” “The Price of a Data Breach,” “Banner Health Agrees to Pay $6 Million for Data Breach,” “Victims Can Sue Ortho Clinics if Data Hacked,” and “Anthem Pays a Record $16 Million to Settle Data Breach.”
React:
Discussion
This is a fascinating development. In my practice we've seen similar outcomes with the revised protocol. The key differentiator seems to be patient selection criteria. Has anyone else noticed the correlation with BMI thresholds?
Great point. I'd push back slightly on the conclusion, the sample size in the cited study is too small to draw population-level inferences. That said, the directional signal is compelling and worth a larger RCT.
We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.
Join the conversation
Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.