U.S. Health Dept Announces $80K Settlement Linked to Ransomware Attack

The U.S. Department of Health and Human Services (HHS) on Tuesday announced an $80,000 settlement with Elgon Information Systems, a Mass.-based electronic medical record company, on the heels of an investigation into a 2023 ransomware attack on the company.

“OCR’s investigation determined that Elgon failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to [electronic protected health information] in its system,” according to the HHS office in a press release.

Why It Matters: This is the eighth ransomware investigation settlement by the HHS Office of Civil Rights (OCR). The fine comes as the U.S. government grapples with how to deal with security challenges across the healthcare sector, which continues to be hit hard by ransomware actors, as seen most visibly last year by the cyberattack on Change Healthcare. The OCR said that overall, it has seen a massive upward spike (264 percent) since 2018 in ransomware attacks reported to its office.

Key Details:

• The 2023 ransomware attack on Elgon’s information systems impacted the health information of approximately 31,248 individuals, including sensitive clinical data like diagnoses, conditions and medications

• Under the settlement, Elgon has agreed to pay $80,000 to OCR and implement a strategy to better secure electronic protected health information

• The OCR will also monitor Elgon for three years to make sure it is compliant with HIPAA

The Background: Elgon did not detect the unauthorized access on its information system until six days after the initial intrusion on March 25, 2023, when a ransom note was found. The health data that was compromised included names, social security numbers, addresses, driver’s licenses and dates of birth, in addition to clinical information. Moving forward, as part of the settlement Elgon will need to take steps to better incorporate risk analysis and risk management strategies for protecting electronic personal health information. It will also need to provide workforce training in HIPAA policies.

The Big Picture: The OCR has aimed to crack down on HIPAA violations with its OCR Risk Analysis Initiative, which focuses on investigations in compliance with the HIPAA Security Rule Risk Analysis provision. The initiative’s goal is to increase the number of completed investigations and showcase the need for more attention and better compliance with HIPAA, according to the OCR. Elgon is the second organization under this initiative to face a penalty. The first, in October 2024, was Bryan County Ambulance Authority, which had to pay $90,000.

“A HIPAA compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity,” said OCR Director Melanie Fontes Rainer in a statement. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”