A U.S. Department of Health and Human Services review of HVHS' electronic medical records system and security provisions following the malware attack identified failures to conduct a risk analysis of the system to determine vulnerabilities, develop contingency plans to respond to emergencies such as ransomware attacks, and to restrict access to the records to authorized users. In addition to the $950,000 payment, HVHS agreed to implement a corrective action plan and three years of HHS compliance monitoring.
"Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive to cyber criminals," HHS Office for Civil Rights Director Melanie Fontes Rainer said in a prepared statement. "We remind and urge health care entities to protect their records systems and patients from cyberattacks."
HVHS officials were not immediately available for comment.
HVHS' corrective action plan includes implementing multi-step authentication to ensure that only authorized users can access electronic protected health information such as patient medical histories and treatments.
In 2019, HVHS filed a three count civil lawsuit in the U.S. District Court for the Western District of Pennsylvania against Burlington, Mass.-based Nuance Communications Inc. over the malware attack, saying the damage was "immediate and substantial." HVHS claimed that the computer virus, which originated in Ukraine, first infected Nuance's computer system before spreading to HVHS' computer records through a shared virtual private network, where it caused millions of dollars of damage.
The attack by malware dubbed NotPetya began around 7:30 a.m. June 27, 2017 and soon infected the entire health system, including satellite offices. The lawsuit was dismissed by U.S. District Court Judge Robert J. Colville in 2020.
HVHS serves patients in Beaver and Allegheny counties, Ohio and the West Virginia panhandle through three hospitals and numerous outpatient care centers. The system also provide cancer cancer care through a joint venture with UPMC.
© 2024 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC.
