HIPAA
Image: National Cancer Institute / Unsplash

Massachusetts health firm reaches $80,000 settlement with HHS following ransomware investigation

A Massachusetts company is the latest healthcare entity to be penalized by federal regulators following an investigation into a 2023 ransomware attack.

The U.S. Department of Health and Human Services (HHS) said on Tuesday it reached a settlement agreement of $80,000 with Elgon Information Systems after the company violated federal rules around the protection of healthcare data.

Elgon provides electronic medical record and billing support services to healthcare entities governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The company was breached by a cybercriminal on March 25, 2023, and the company did not discover the incident until it found a ransom note six days later. Elgon reported the ransomware attack to HHS in June 2023, telling the agency that more than 31,000 people had information accessed by the hackers. 

Social Security numbers, driver’s license numbers and healthcare information about medications, conditions and diagnosis were leaked in the attack. No ransomware gang ever took credit for the incident publicly.

An investigation conducted by HHS’s Office for Civil Rights (OCR) found that Elgon “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to [electronic protected health information] in its system.” 

In addition to paying an $80,000 penalty, Elgon will implement a corrective action plan to resolve the HIPAA violations HHS found. The company will have to identify potential vulnerabilities in its information systems, update its risk management plan, provide workforce training on HIPAA policies and more. 

“A HIPAA compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity,” said OCR Director Melanie Fontes Rainer. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”

HHS has stepped up its enforcement of the cybersecurity rules within HIPAA in recent years as the threat of ransomware has increased among healthcare entities. 

The department said ransomware has become one of the primary threats to healthcare and provided data showing a 264% increase since 2018 in large breaches involving ransomware that were reported to OCR . 

This is the second settlement OCR has secured as part of its Risk Analysis Initiative after agreeing to a $100,000 settlement with another Massachusetts-based medical billing company in 2023 following a 2017 ransomware attack. The initiative focuses on compliance with the HIPAA Security Rule. 

The department penalized another company $950,000 last year for HIPAA violations related to a ransomware attack and has so far secured eight settlements connected to such cyberattacks.

After 2024 saw several devastating ransomware attacks on healthcare entities that caused ambulance diversions and real-world degradation of patient care, U.S. officials have floated potential changes to HIPAA as one way to force hospitals and healthcare organizations to take cybersecurity seriously. 

A White House official said two weeks ago that tougher cybersecurity rules covering how healthcare institutions protect user data will be proposed under HIPAA.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.