HHS' Office for Civil Rights has imposed a $240,000 civil monetary penalty on Providence Medical Institute, located in Southern California, due to possible violations of the HIPAA security rule.
According to a Oct. 3 news release, the penalty follows an investigation initiated by OCR after receiving a breach report in April 2018. The report revealed that a series of ransomware attacks had compromised the electronic protected health information of approximately 85,000 individuals between February and March 2018.
The investigation revealed that the servers containing the patient information were encrypted by ransomware on three separate occasions.
The agency identified two violations of the HIPAA security rule: Providence Medical Institute failed to establish a business associate agreement and did not implement adequate policies and procedures to restrict access to electronic protected health information to authorized personnel or software programs.
In March 2024, the agency issued a notice of proposed determination recommending a civil monetary penalty. Providence Medical Institute opted to waive its right to a hearing and did not dispute OCR's findings, resulting in the imposition of a $240,000 penalty, according to the release.
Providence Medical Institute is a non-profit organization that offers physician services through a network of 200 providers working across 32 medical offices, which includes seven urgent care centers.