Beaver, Pa.-based Heritage Valley Health System has agreed to pay the HHS $950,000 for HIPAA violations following a ransomware attack on the organization.
HHS' Office for Civil Rights launched an investigation into Heritage Valley alleging that the health system violated the HIPAA security rule, according to a July 1 news release from HHS. The investigation revealed that Heritage Valley had multiple potential violations of the HIPAA security rule, including failure to conduct a risk assessment, failure to create a plan to handle emergencies and failure to implement policies whereby only authorized users could access its EHR system.
As part of the agreement, Heritage will pay $950,000 and implement an action plan which the Office for Civil Rights will monitor for three years. Under the plan, Heritage is committing to training its workforce on HIPAA procedures, conducting risk assessments and reviewing its policies to comply with HIPAA.
This is the Office for Civil Rights' third ransomware settlement, according to the release.