Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

December 19, 2024

NYMGMA eNewsletter: "Recent Enforcement Actions Demonstrate That Cyberattacks Present Huge HIPAA Liability for Medical Practices"

Fran Ciardullo, special counsel, had her “Recent Enforcement Actions Demonstrate That Cyberattacks Present Huge HIPAA Liability for Medical Practices” article published in the December 2024 issue of New York Beat, the monthly enewsletter from the New York Medical Group Management Association (NYMGMA). The article discusses recent enforcement actions by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which underscore the significant HIPAA liability faced by medical practices due to ransomware attacks. 

Cyberthreats in health care have surged, with reported ransomware breaches of electronic health information increasing by 264 percent since 2018. In October 2023, OCR imposed its first ransomware-related fine, settling with a business associate for $100,000. In the following year, OCR announced several enforcement actions, including penalties against Cascade Eye and Skin Centers, Providence Medical Institute, Plastic Surgery Associates of South Dakota, and Bryan County Ambulance Authority. These settlements highlighted violations such as inadequate risk analysis, lack of system monitoring, and absence of required business associate agreements, with penalties ranging from $90,000 to $500,000.

These cases emphasize the critical need for HIPAA-covered entities to proactively protect electronic protected health information (ePHI) through robust compliance efforts. Fran’s article provides steps health care providers can take to mitigate risks and avoid substantial penalties, including conducting thorough risk analyses, implementing risk management plans, monitoring system activities, and ensuring vendor compliance through business associate agreements. The article also notes additional protective measures, such as multifactor authentication, encryption of ePHI, and regular workforce training, which are crucial for maintaining data security. OCR’s intensified focus on cybersecurity compliance serves as a warning for health care organizations to strengthen their defenses against the growing threat of ransomware.

Click here to read the full article.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

Key Affordable-Housing Provisions in the One Big Beautiful Bill Act

Alerts

What the One Big Beautiful Bill Act Means for Clean-Energy Tax Credits

Alerts

One Big Beautiful Bill Act Changes Tax Incentives for Charitable Giving

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Wislande Claude, Felipe Fernandez, Howard Wilson, Lisa Cantwell, and Erika Alexandria—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

NYS Appellate Court Holds Family Members Are Not Bound by Arbitration Agreement Signed by Deceased Relative

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Milagros Senior, Sylinia Jackson, Edery Herrera, Henry Tucker, and Carlton Knowles—Targeting Businesses in Recent Flurry of Lawsuits