Report on Patient Privacy 24, no. 10 (October, 2024)
Let’s review for a moment.
It’s not a HIPAA violation to be a victim of ransomware.
It’s not a HIPAA violation to pay a ransom.
It’s up to the covered entity (CE) to determine if a security or privacy incident is a breach reportable to the HHS Office for Civil Rights (OCR), patients, the media and state regulators (though, of course, authorities could disagree later).
Yet, on June 17, Amber Gilroy, CEO of Cascade Eye and Skin Centers P.C. of Washington state, signed a settlement agreement with OCR that included a $250,000 payment and an extensive two-year corrective action plan (CAP).[1] OCR didn’t announce the settlement until three months later, and then, as it has with the previous three similar settlements, linked it to the growing incidence of ransomware afflicting health care organizations.
Cascade was attacked in 2017—a particularly bad (or good, depending on the perspective) year for ransomware. Its attack that spring preceded the worldwide spread of both WannaCry and NotPetya. Yet, neither is what infiltrated Cascade’s systems, according to information provided to RPP by Gilroy and outside counsel John R. Christiansen. Nor was this handled as a reportable breach, echoing the $950,000 settlement between OCR and Heritage Valley Health System announced July 1.[2] In both, OCR based its enforcement action, in part, on an alleged failure to complete a risk analysis.
Another revealing detail from Christiansen: OCR officials personally visited Cascade offices during the investigation. Cascade, which dates its roots to 1967, has more than 30 providers in seven locations. It prides itself on involvement in numerous charitable causes, including providing free cataract surgery to needy patients and raising money for the American Heart Association and the American Cancer Society.
Both OCR’s announcement and agreement provide few details about what led to the settlement and the terms, particularly the payment amount—a situation not uncommon but often frustrating to covered entities (CEs) and business associates (BAs) who are continually advised to scrutinize every OCR enforcement action to understand how the agency operates and what to expect should they become the target of an investigation.
OCR said simply that officials were tipped off via a complaint on May 26, 2017, that Cascade “experienced a ransomware attack” in March of that year, which the agency stated “affected approximately 291,000 files that contained” electronic protected health information (ePHI).
OCR’s investigation “found multiple potential violations of the HIPAA Security Rule, including failures by Cascade Eye and Skin Centers to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack,” it said. However, the settlement agreement itself enumerates just two: risk analysis and regular review of system activity.
Gilroy and Christiansen told RPP they “wanted to reiterate” that the $250,000 is “not based on any finding of a breach, despite the OCR press release implications.” Whether a breach occurred “wasn’t cited or discussed as a possible violation or the basis for the amount of the payment,” they said. As with most settlements, Cascade did not admit to wrongdoing.
Gilroy, who joined Cascade in May 2021, and Christiansen answered all of RPP’s questions except one: the amount of the ransomware.
Files Were Recovered After Ransom Paid
Here's what happened, according to Gilroy:
-
“On March 21, 2017, Cascade discovered ransomware in its systems when a Cascade employee was unable to open a file in a shared folder. A Cascade IT employee determined that the file appeared to have been encrypted. Cascade immediately contacted its outsourced IT support team and disconnected the potentially infected servers from the network.”
-
Next, “Cascade ran two anti-malware programs, which did not find any malicious software, but did determine that files in some segments contained files encrypted without authorization. Forensic investigation traced the source to a specific workstation onto which a Dharma ransomware virus variant had been downloaded, probably from a spam or spoofed email.”
-
Cascade determined that “approximately 291,000 files which included PHI had been encrypted, limited to names, addresses and certain images. A ransomware demand document was found, ransom was paid, and the affected files were recovered.”
-
The medical practice’s “forensic investigation indicated there had not been unauthorized access to any other systems or any exfiltration or other or unauthorized transmission of information from the servers.”
“The servers were re-imaged without the corrupted data to bring systems back online as quickly as possible, and the encrypted data was recovered by information provided after ransomware payment,” Christiansen said. He added that, “as far as we know, the responsible individuals were never identified or charged.”
Gilroy said she was told that Cascade was “offline for several days. Our clinicians and staff quickly moved to a paper-based process but I can’t speak to any patient care being paused.”
Regarding the ransom, “We prefer not to provide the specific amount,” she said, noting, “the decision was made some years before I joined Cascade.”
Cascade’s “forensic and legal review” concluded “this was not a reportable breach, and no PHI was accessed by or exported to any unauthorized or party,” Christiansen said.
In addition to the payment, Cascade is complying with the three-year CAP, which includes terms that go beyond the two specific violations OCR alleged occurred.[3]
According to the CAP, OCR said Cascade had potentially violated:[4]
-
“The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by [Cascade]. See 45 C.F.R. § 164.308(a)(1)(ii)(A) .
-
“The requirement to implement procedures to regularly review records of information system activity. See 45 C.F.R. § 164.308(a)(l)(ii)(D) .”
The agency also required Cascade to “establish and implement a contingency plan” and a procedure to identify unique users to better track activity within its electronic systems.
OCR is not known for speedy resolution of its investigations, which holds true for Cascade as well. RPP asked the organization why it took seven years to reach a settlement.
“Cascade provided full cooperation to OCR and the investigation included an extensive OCR site visit and several follow-up inquiries from OCR,” Christiansen said. “The COVID pandemic probably played a significant role in the timing of the investigation, but we would prefer not to speculate as to the reasons for OCR’s timing or the amount of the consent amount.”
Cascade Sought a Lower Payment
The size of settlement amounts or fines OCR imposes for HIPAA violations is of concern to CEs and BAs, but OCR frequently gives no explanation. RPP has documented the variability in payments, and some organizations reported feeling forced into making payments they considered excessive.
For example, the CEO of Doctors’ Management Service—which was the first to enter a settlement stemming from a ransomware attack—told RPP OCR insisted his small billing firm pay $100,00 once the agency realized his cyber insurance would cover it.[5] He also described the five-year process to reach a settlement “frustrating” and sometimes “terrifying,” as it threatened the survival of the company.
Similarly, Cascade had “hoped for more financial forbearance” from OCR in setting the payment, Gilroy said, adding that it “experienced financial difficulties during the pandemic, which affected resources.”
Commenting more generally on the compliance challenges that many CEs face, Gilroy noted that Cascade “is a relatively small organization with limited resources, which prior to my joining Cascade may have led to some underfunding of risk assessment and mitigation as operational needs were prioritized.”
‘Have Tools at Your Fingertips’
RPP asked what safeguards, upgrades, controls or other measures Cascade may have made after the attack. “We can’t go into any specifics for publication but have definitely implemented improvements,” Gilroy said. “Of course, this event happened seven years ago, so some safeguards and controls which might have been appropriate then aren’t appropriate, or sufficient, any longer.”
Cascade also “implemented multiple layers of safeguards, including security factors, audits and policies in an effort to identify and manage risks and vulnerabilities consistently with the Security Rule and industry standards, and with the CAP,” she added.
Asked what CEs and BAs could learn from Cascade’s experience, Gilroy said officials should “realize you cannot prevent every attack but have tools at your fingertips to prevent as much as possible and be prepared to recover.”
She added that it is “important to know who to call for IT support, investigation, and legal support. Do your own investigations but cooperate with OCR and help them understand your organization and its particular situation and needs.”
1 U.S. Department of Health and Human Services, “HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000,” news release, September 26, 2024, https://bit.ly/4eQvx13.
2 Theresa Defino, “Seven Years After Worldwide NotPetya Attacks, OCR Singles Out PA System, Collects Nearly $1M,” Report on Patient Privacy 24, no. 8 (August 2024), https://bit.ly/3XYq2Xg.
3 Theresa Defino, “Cascade’s CAP Has Breach Notification Focus, Frequent Reporting,” Report on Patient Privacy 24, no. 10 (October 2024).
4 U.S. Department of Health and Human Services, “Cascade Eye and Skin Centers, P.C. Resolution Agreement and Corrective Action Plan,” content last reviewed September 26, 2024, https://bit.ly/4gFBJec.
5 Theresa Defino, “BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly, Didn’t Expect Fine,” Report on Patient Privacy 23, no. 11 (November 2023), https://bit.ly/41W7WqD.
[View source.]
