November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.