Pension & Benefits News Patient information held for ransom leads to $100,000 HIPAA settlement
Tuesday, March 24, 2020

Patient information held for ransom leads to $100,000 HIPAA settlement

By Pension and Benefits Editorial Staff

An HHS Office for Civil Rights (OCR) compliance review found a Utah gastroenterologist practice to be in significant noncompliance with HIPAA rules after the practice submitted a breach report. According to the breach report, the practice had contracted with an electronic health records (EHR) and a third-party company related to the EHR company had accessed patient information and held it for ransom. The OCR found that the practice failed to protect patient information and failed to have adequate assurances in place with outside vendors to protect patient information.

Breach. The physician had a gastroenterological services practice that serviced over 3,000 patients per year in Utah. The practice submitted a breach report indicating that a business associate of the practice’s EHR company had blocked the practice’s access to patients’ electronic protected health information (ePHI) until the physician paid $50,000.

The OCR initiated a compliance review of the practice following the breach submission and found significant noncompliance with HIPAA rules. The OCR determined that the practice failed to implement policies and procedures to prevent, detect, contain, and correct security violations. It further found that the practice permitted the EHR company to create, receive, maintain, or transmit ePHI on the practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company would appropriately safeguard ePHI.

Resolution agreement. The practice agreed to pay HHS $100,000 and entered into a two-year Corrective Action Plan (CAP). Under the terms of the CAP the practice will be required to conduct a risk analysis, establish a risk management plan based on the risks and vulnerabilities identified in the risk analysis and submit an implementation report attesting that the risk management plan is being implemented. The practice will be required to review the risk analysis annually and submit annual reports regarding the practice’s compliance with the CAP. Policies relating to business associate relationships as well as the use and disclosure of PHI must be revised and workforce members must be trained on HIPAA and PHI policies.

SOURCE:, Resolution Agreement, February 26, 2020.

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More