Lesson learned from the HHS settlement with Northeast Surgical Groups

Northeast Surgical Group recently settled with the HHS, agreeing to pay $10,000 and comply with a corrective action plan due to violations of HIPAA.

The timeline

Beginning in March 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received a breach report concerning a ransomware attack on the Northeast Surgical Group (NESG) information system. The cyberattack resulted in the encryption and exfiltration of the protected health information (PHI) of 15,298 patients. Following the breach, OCR initiated an investigation and found that NESG had failed to conduct a compliant risk analysis to identify and address the potential risks and vulnerabilities to electronic PHI (ePHI) in its systems, as required by the HIPAA Security Rule. 

In response to OCR’s findings, NESG agreed to resolve the matter by implementing a corrective action plan and paying $10,000 to OCR as part of the settlement. The corrective action plan includes specific measures, such as conducting a thorough risk analysis, developing a risk management plan, updating HIPAA policies and procedures, and providing workforce training on HIPAA compliance. OCR announced the settlement publicly on January 15, 2025. 

The background of the OCR’s Risk Analysis Initiative

The initiative began as a result of covered entities and business associates historically failing to comply with the HIPAA Security Rule’s risk analysis requirement. The OCR’s emphasis on risk analysis was solidified following audits conducted in 2016 and 2017 that revealed significant deficiencies in how organizations assess and manage risks related to ePHI. In response, the OCR launched a new enforcement initiative in 2023 focused on compliance with these provisions. 

The NESG’s corrective plan

Here are the primary terms of the corrective action plan:

1. NESG agrees to pay a $10,000 settlement to HHS in one lump sum.
2. NESG must comply with the corrective action plan attached to the Agreement.
3. If NESG breaches the plan and does not fix the breach, it will violate the Agreement.
4. HHS will release NESG from further actions related to the incident if NESG complies with the Agreement.
5. NESG waives procedural rights, including notice, hearing, and appeal, regarding the payment and obligations in this Agreement.
6. The Agreement is binding on NESG and its successors, heirs, transferees, and assigns.
7. Each party will cover its own legal and other costs related to this Agreement.
8. The Agreement does not release claims against other parties.
9. Modifications to the Agreement must be in writing and signed by both parties.
10. The Agreement becomes effective on the date signed by the last party.
11. NESG agrees to toll (pause) the statute of limitations for six years from the date of the violation.
12. There are no restrictions on publishing the Agreement.
13. The Agreement can be signed in counterparts, meaning each signed copy is considered valid.
14. The signatories confirm they are authorized to sign on behalf of NESG and HHS.

Recommended steps to mitigate or prevent cyber threats

1. Review all vendor and contractor relationships like with HIPAA compliant email platforms to ensure appropriate business associate agreements are in place.
2. Integrate regular risk analysis and risk management into business processes.
3. Ensure audit controls are in place to record and examine information system activity.
4. Conduct regular reviews of information system activity.
5. Use multi-factor authentication to allow only authorized users to access ePHI.
6. Encrypt ePHI to protect it from unauthorized access.
7. Incorporate lessons learned from past incidents into the organization’s overall security management process.
8. Provide job-specific training on privacy and security regularly and reinforce the workforce’s critical role in protecting information.

FAQs

What is cybersecurity risk analysis?

Cybersecurity risk analysis is the process of identifying, evaluating, and prioritizing potential threats and vulnerabilities to an organization's information systems to mitigate risks effectively.

Why is a cybersecurity risk assessment important?

A cybersecurity risk assessment helps organizations understand their vulnerabilities, evaluate the likelihood and impact of cyber threats, and develop strategies to protect sensitive information and assets.

What steps are involved in conducting a cybersecurity risk assessment?

Steps typically include determining the scope of the assessment, identifying critical assets, analyzing potential threats and vulnerabilities, evaluating risks, and developing mitigation strategies.