Access Delayed, Ransom Paid, Cyber Aid Conveyed – Ep 487 

Is your healthcare organization ready for a triple threat, or are you playing a risky game of cybersecurity roulette with delayed access, ransomware demands, and a missing incident response plan? Today, we explore three tales in healthcare that are equal parts cautionary and compelling. We kick things off with the Healthcare and Public Health Sector Coordinating Council’s shiny new cyber incident response checklist—aka your cheat sheet for keeping calm in the face of chaos. Then, we give you the juicy details of a hefty civil money penalty slapped on a healthcare entity for dragging their feet on providing patient records (spoiler alert: patience isn’t a virtue when it comes to HIPAA). Finally, we unravel the saga of a ransomware attack that not only encrypted data but also emptied some wallets. Whether you’re here to learn, laugh, or just feel better about your own compliance game, this episode’s got you covered. Buckle up, because the HIPAA ride is wild!

In this episode:

Access Delayed, Ransom Paid, Cyber Aid Conveyed – Ep 487

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

Access Delayed, Ransom Paid, Cyber Aid Conveyed

Tip of the Week

HSCC’s New Cyber Incident Response Checklist

What is it?

This checklist is a streamlined guide designed specifically for executives in the healthcare sector to:

• Understand their role during a cyber incident.
• Facilitate quicker, better-informed decision-making under pressure.
• Coordinate effectively with IT teams and external stakeholders.

Why does it matter?

Cyberattacks in healthcare aren’t just a tech issue—they’re a patient safety issue. The checklist bridges the gap between tech-heavy response plans and the high-level leadership perspective that healthcare executives bring to the table. Think of it as a “cheat sheet” for staying calm and collected when chaos strikes.

Key Features:

1. Action-Oriented: Focuses on immediate and strategic actions, not deep technical details.
2. Broad Applicability: Useful for healthcare entities of all sizes, from local practices to massive systems.
3. Aligned with Industry Best Practices: Developed with insights from cybersecurity experts and healthcare leaders.

What’s in the Checklist?

The checklist covers critical areas like:

• Initial response actions.
• Communication strategies (internally and with external partners).
• Compliance considerations during and after an incident.
• Long-term recovery and prevention measures.

Why you should care:

If you’re in healthcare and think “cybersecurity is IT’s problem,” this checklist is for you. The idea is to empower executives to make confident, informed decisions that directly affect both organizational and patient outcomes.

Where to find it:

• Press Release: HSCC Cyber Incident Response Checklist Press Release
• Checklist Download: Executive Cyber Incident Response Checklist

HIPAA Briefs

Another right of access case leads to CMP not a settlement and CAP.

“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer. “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them. The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. As a result of OCR’s investigation, the patient received their records in 2020.

The patient asked for the records. Got a call and she was told they are ready and to come pick them up on a certain day. The patient gets there and waits 20 minutes with no response. The patient gave up and said call me when you are for real ready.

The facility said they were delayed because they were asking someone else about fulfilling the request. So the records were clearly not ready when she was called the first time. They finally went looking for the patient but they were already gone. They said they attempted to reach them when they found out they were gone but couldn’t get them.

Guess what – after that it doesn’t appear that anyone did anything. They didn’t alert any leaders, didn’t make any further attempts to solve the problem, nothing.

Finally, the patient called back several times and got no further than being transferred to a black hole with no one answering. This went on for a couple of months before the complaint was filed with OCR.

OCR gave them a break at first because the request was filed in March 2020 right before the lock down. That first call came May 22 telling them to come pick up the records on May 27.

We missed one of the SRA and Ransomware cases and it is a big one

This one is for $500,000 plus a 2 year CAP.

“Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information,” said OCR Director Melanie Fontes Rainer. “Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to break downs in our health care system.”

A breach report was filed in July 2017, which reported that they discovered 9 workstations and 2 servers were infected with ransomware. 10,229 patient records were encrypted. The attackers got in using a brute force attack on their RDP connection. To make it worse they were unable to restore the affected servers from backup. They paid a bitcoin ransom of $27,399.97 – yep that amount.

The investigation revealed “that PSASD demonstrated significant noncompliance with the HIPAA Rules”. They failed to:

• Implement policies and procedures to prevent, detect, contain and correct security violations.
• Do an accurate and thorough risk analysis
• Implement security measures sufficient to reduce risks and vulns to a “reasonable and appropriate level”
• Establish and implement policies and procedure for regularly reviewing system activity
• Implement policies and procedures to address security incidents

One thing of note from the CAP:

Security Incident Procedures

PSASD shall create and implement policies and procedures to address security incidents, including a process for: identifying and responding to known security incidents; mitigating, to the extent practicable, harmful effects of known security incidents; and documenting (in writing) security incidents and their outcomes.

Seriously folks this is what you are supposed to be doing.

PSA for the Holidays

Be on the lookout—scams are coming from everywhere: phone calls, mail, text messages, and emails. Always question everything, especially if it triggers a strong emotional reaction like fear or urgency. These scams are designed to exploit trust and emotions to pressure quick decisions. Spread the word; help educate your friend and neighbors. Stay alert and take an extra moment to verify before responding—protecting yourself this holiday season starts with awareness.

As we wrap up, let this episode serve as your cybersecurity wake-up call. Whether it’s learning from a costly right-of-access mishap, realizing that ransomware doesn’t just target the big players, or equipping your organization with the HSCC’s latest cyber incident checklist, the takeaways are clear: preparation, action, and compliance are your best defenses. Remember, a little vigilance today can save a lot of headaches (and money) tomorrow. Stay proactive, stay informed, and most importantly, stay off OCR’s naughty list. Until next time—HIPAA, schmipaa? Not on our watch!

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.