The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA) regarding potential HIPAA violations after incidents in which patient ePHI was improperly disclosed. Following complaints of a ransomware attack in 2019 affecting about 5,000 individuals and further complaints in 2023 regarding hacking, OCR found that GMHA failed to perform a necessary risk analysis. GMHA has agreed to a corrective action plan and to pay $25,000 to settle the case.
"Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats," said OCR Acting Director Anthony Archeval.
"Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000."
Collection
[
|
...
]