While DataBreaches was aware of the 2023 incident referenced below, this site was not aware of any 2019 ransomware attack. The following is a press release issued by HHS OCR today:
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information.
OCR initiated an investigation following the receipt of a complaint in January 2019 alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hacker(s) had accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.
“Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000. Under the corrective action plan, GMHA has agreed to take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
- Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
- Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
- Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
- Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf, opens in a new tab [PDF, 228 KB]
Source: HHS