If ignoring cybersecurity was a sport, some companies would be gold medalists—until they realize the prize is a hefty fine and years of regulatory headaches. It’s like leaving your car unlocked in a sketchy part of town with a neon sign that says, “Free Stuff Inside.” What could possibly go wrong? Well, in this episode, we break down six real-life cases that prove skimping on security is way more expensive than just doing it right in the first place. From ransomware attacks to patient right of access failures, we’re diving into what went wrong, why it happened, and—most importantly—how you can avoid becoming the next cautionary tale.
In this episode:
From $10K to $3M: The Price Tag of Neglecting Cybersecurity – Ep 494
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
From $10K to $3M: The Price Tag of Neglecting Cybersecurity – Ep 494
We couldn’t read one before the next one came out so we just gave up for a bit.
OCR Resolution Agreements Summary
| Entity Name | Date of Announcement | Amount Paid | CAP Length | Issue Summary |
|---|---|---|---|---|
| Elgon Information Systems | January 7, 2025 | $80,000 | 3 Years | Ransomware attack; failure to conduct risk analysis and implement security measures. |
| VPN Solutions | January 7, 2025 | $90,000 | 1 Year | Ransomware attack; failure to secure patient data and implement safeguards. |
| USR Holdings LLC | January 8, 2025 | $337,750 | 2 Years | Failure to prevent deletion of ePHI; lacked Security Rule safeguards. |
| Solara Medical Supplies | January 14, 2025 | $3,000,000 | 2 Years | A phishing attack exploited vulnerabilities; inadequate cybersecurity practices. |
| Memorial Healthcare System | January 15, 2025 | $60,000 | N/A | Failed to provide patients timely access to medical records (Right of Access). |
| Northeast Surgical Group | January 15, 2025 | $10,000 | 2 Years | Ransomware attack; cybersecurity risk analysis and remediation gaps. |
[07:58] Elgon dba HomecareGPS
“A HIPAA compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity,” said OCR Director Melanie Fontes Rainer. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”
Ransomware attack where the attacker got in via open ports on the firewall.
[14:58] VPN Solutions – VA – Hosting provider and cloud services
“An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks.” said OCR Director Melanie Fontes Rainer. “Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information.”
A ransomware attack hit 12 clients in the data center.
[20:11] USR Holdings
“Health care entities need to ensure that they are proactively monitoring who is in their information systems, and that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes being able to restore access to electronic health information following a cybersecurity attack, so there is no interruption in the provision of health care.”
The attacker was able to delete a database full of PHI that wasn’t backed up after being in the system for several months.
[22:58] Solara – a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes.
“Cyberattacks have skyrocketed exponentially in recent years. Effective cybersecurity requires identifying potential risks and vulnerabilities to health information and implementing effective security measures to protect against them,” said OCR Director Melanie Fontes Rainer. “Health care entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard protected health information.”
Eight employees were hit with a phishing attack PLUS they sent the breach notifications from that breach to 1531 wrong addresses! No SRA and no timely notifications of the first breach.
They were purchased by AdaptHealth shortly after the second notification.
[28:47] Memorial Healthcare System FL
“A patient’s right to timely access their own health information is well-established by the HIPAA Privacy Rule,” said OCR Director Melanie Fontes Rainer. “Health care entities must be responsive to their patients’ requests for their medical records. Patients should not have to file a complaint with OCR as a necessary step before receiving their records.”
The patient took 9 months to get their records. This wasn’t their first time dealing with an OCR case resolution. They just took the penalty just to make it go away. Way cheaper for them than fighting it.
[30:50] Northeast Surgical Group – Northeast Surgical Group, P.C. (NESG), a provider of surgical services in Michigan
“One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information,” said OCR Director Melanie Fontes Rainer. “A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”
A ransomware attack where 15,298 patients had been encrypted and exfiltrated.
The Bottom Line
Cybersecurity isn’t just an IT problem—it’s a survival strategy. The price tag for neglect isn’t just about fines; it’s lost trust, operational chaos, and a whole lot of “we should have known better.” So before you brush off that risk analysis or delay security updates, remember: it’s always cheaper to prevent a fire than to rebuild after one.
We’ve said it before, and we’ll say it again—ignoring cybersecurity is like playing dodgeball blindfolded. Sure, you might dodge a few hits, but eventually, you’re going to take one to the face. These six cases prove that hoping for the best isn’t a strategy, and waiting until disaster strikes is the most expensive way to learn a lesson. So take action now—before you end up as the next cautionary tale we’re talking about in a future episode.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
