The U.S. Department of Health and Human Services (HHS) has reached a settlement agreement with an American company that processes medical data for clinics, on charges of major security flaws in violation of the Security Rule under the Health Information Portability and Accountability Act (HIPAA). The company, which operates as a Business Associate under HIPAA, was a victim of a hacking attack that began in April 2017. Yet it only detected the incident in December 2018 when ransomware encrypted and crippled its database, affecting the medical information of over 200,000 patients.

HHS accused the company of failing to conduct the required risk assessments and vulnerability checks in compliance with HIPAA. HHS also accused the company of neglecting to systematically monitor system logs. The company does not admit to any wrongdoing in the settlement, and agrees to pay a $100,000 fine and implement a corrective action plan.

The Corrective Action Plan requires the company to implement measures to improve its data security practices and ensure compliance with HIPAA regulations. This includes conducting risk assessments, enhancing data protection protocols, and regularly monitoring their systems for security threats. The plan is designed to address the deficiencies that led to the data breach and to prevent such incidents in the future.

Click here to read the Resolution Agreement.