$240,000 Penalty Against CA-Based Providence Medical Institute

Oct. 14, 2024
Following an investigation, the HHS Office for Civil Rights imposed a penalty against Providence Medical Institute for violation of the HIPAA Security Rule

Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR.

In a news release, OCR stated it had initiated an investigation following the receipt of a breach report filed by Providence Medical Institute in April 2018. In the report, Providence noted that its systems were impacted by a series of ransomware attacks that affected the electronic protected health information (ePHI) of 85,000 persons.

OCR’s investigation determined that servers containing ePHI were encrypted with ransomware three times. Two potential violations of the HIPAA Security Rule were revealed, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized people or software programs access to ePHI.

Per the news release, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty in March of 2024. Providence Medical Institute waived its right to a hearing and did not contest the findings. OCR imposed a civil penalty of $240,000.

HHS reported a 264 percent increase in significant breaches involving ransomware attacks reported to OCR since 2018.

“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer in a statement. “The healthcare sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all healthcare entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...