A New York City Neurology Practice, Comprehensive Neurology PC has settled an alleged HIPAA violation for $25,000
In this case 6.800 patients were involved. This event is the result of a Ransomware attack. The Ransomware attack prevented the practice from accessing their patients’ medical records and information was potentially stolen including patient names, clinical information, Social Security numbers and more.
The key word here is potentially. The Federal government considers a Ransomware Attack to be a HIPAA breach unless you can prove that information was not sent off your network to the hackers who created the ransomware.
Having network logging will demonstrate the volume of data that is going on and off your network. If the practice was able to review the log files of their network and demonstrate that data did not transfer off their network, they would have been able to demonstrate the patient information was not exposed to an unauthorized individual and they would have avoided this fine.
The other issue here is the practice was not able to access patient records. Every practice needs to have a disaster recovery plan, and that plan should be tested. In this case if the practice had a good backup plan and a disaster recovery plan that enabled them to ‘reset’ their computers, reinstall the software and load the backup they could have had relatively quick access to their patient data for patient care purposes.
Network auditing and logging are one of the items we regularly recommend to our clients and we recommend that our clients regularly back up their data and test restoring their data at least twice a year. If Comprehensive Neurology had these in place they might have avoided the $25,000 cost. In addition to the monetary settlement, the practice is now on a Corrective Action Plan and will be monitored by the Office for Civil rights for implementation of this plan.
Read Comments