"The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member's email account. TWRTC concluded that the ePHI for 1,980 patients was compromised by the attack. OCR's investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule."
"Conduct and complete an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis; Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security Rule, and Breach Notification Rules; and Provide annual training for workforce members who have access to ePHI on its written HIPAA policies and procedures."
HHS OCR reached a settlement with Top of the World Ranch Treatment Center for alleged HIPAA Security Rule violations after a March 2023 phishing attack. The attack allowed an unauthorized third party to access a workforce member's email account and compromised ePHI for 1,980 patients. OCR found that TWRTC failed to conduct an accurate and thorough risk analysis as required by the HIPAA Security Rule. TWRTC agreed to a two-year corrective action plan and to pay $103,000. Obligations include completing a comprehensive risk analysis, implementing a risk management plan, maintaining HIPAA policies and procedures, and providing annual workforce training on HIPAA.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]