Healthcare Information Security

Office for Civil Rights

OCR Highlights 8 Tips for Avoiding Healthcare Phishing Attacks

March 1, 2018 - Healthcare phishing attacks are becoming more sophisticated, which is why organizations must remain vigilant in their detection measures, OCR explained in its recent cybersecurity newsletter. Hackers can take advantage of popular holidays to try and take advantage of individuals, and phishing attacks are also common during tax season, the agency stated. Spear phishing can also be especially...

More Articles

Filefax PHI Disclosure Leads to $100K OCR HIPAA Settlement

by Elizabeth Snell

Filefax, Inc. went out of business in 2017, but that does not mean that an OCR HIPAA settlement can be avoided due to an earlier PHI disclosure, according to OCR. A company that was appointed as a receiver to liquidate Filefax’s assets...

Timothy Noonan Named OCR Acting Deputy Director

by Elizabeth Snell

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently named Timothy Noonan as the new OCR acting deputy director for health information privacy (HIP). Noonan has been in the position since January 29, 2018,...

5 HIPAA Data Breaches Lead to $3.5M OCR Settlement

by Elizabeth Snell

Fresenius Medical Care North America (FMCNA) recently agreed to a $3.5 million OCR settlement following allegations that it committed HIPAA violations on five different occasions at separate FMCNA covered entities. FMCNA provides product and...

How Healthcare Organizations Can Reduce Cyber Extortion Risk

by Elizabeth Snell

Healthcare organizations must be mindful of how they reduce cyber extortion risk because covered entities maintain sensitive data and provide necessary services, OCR stated in its January Cybersecurity Newsletter. Cyber extortion often consists...

OCR Reiterates HIPAA Guidance for Opioid Crisis Response

by Elizabeth Snell

OCR recently discussed its current tools and initiatives in place to help organizations face the opioid crisis, touching on HIPAA guidance and how the agency is implementing the 21st Century Cures Act. OCR launched two new webpages focused on...

$2.3M OCR Settlement Reached for 21st Century Oncology Data Breach

by Elizabeth Snell

Cancer care services provider 21st Century Oncology (21CO) recently agreed to a $2.3 million OCR settlement, following a 2015 data breach. OCR found in its investigation that 21CO impermissibly disclosed the PHI of 2,213,597 of its patients and...

Reducing Insider Data Breach Risk with Strong IAM Policies

by Elizabeth Snell

Implementing effective identity and access management (IAM) policies and controls is essential for healthcare organizations that are looking to reduce the potential of insider data breach risk, according to the OCR November 2017 Cybersecurity...

What Should Entities Expect with OCR HIPAA Enforcement?

by Elizabeth Snell

There have been nine OCR HIPAA enforcement settlements so far in 2017, highlighting the need for covered entities and business associates to focus on audit controls, risk management, and business associate agreements. While there has been a new...

What Are Basic, Essential Healthcare Cybersecurity Measures?

by Elizabeth Snell

With October being National Cybersecurity Awareness Month (NCAM), OCR highlighted top healthcare cybersecurity measures that all covered entities and business associates should keep in mind. NCAM is an ideal time for organizations to review basic...

41% of Health Data Breaches Stem from Unintended Disclosure

by Elizabeth Snell

Unintended data disclosure, such as emails containing PHI sent to the wrong recipient or servers left publicly accessible, accounted for 41 percent of reported health data breaches the first nine months in 2017, according to research from Beazley....

Reviewing OCR HIPAA Guidance to Maintain Compliance

by Elizabeth Snell

Covered entities should not be afraid to regularly review OCR HIPAA guidance and ensure that they remain compliant, even as they add new technologies into the daily workflow, according to OCR Senior Advisor for HIPAA Compliance and Enforcement...

Mount Sinai St. Luke’s Sued Following HIPAA Violation

by Elizabeth Snell

New York-based Mount Sinai St. Luke’s Hospital is being sued for faxing patient PHI to the patient’s employer, a reported HIPAA violation that has already resulted in an OCR HIPAA settlement. The Law Offices of Jeffrey Lichtman represent...

OCR Stresses Employee Training Need in PHI Security

by Elizabeth Snell

The need for strong employee training only increases as the healthcare risk landscape grows and threatens PHI security, according to the recent OCR cybersecurity newsletter. Data security training is necessary for combatting threats such as ransomware...

5 Lessons Learned in OCR HIPAA Settlements

by Elizabeth Snell

Healthcare organizations cannot assume that they will never experience a data breach or data security incident. Failure to update safeguards or audit controls could also lead to an OCR HIPAA settlement, which could be paired with a high fine...

OCR Highlights Proper Healthcare Cyberattack Response

by Elizabeth Snell

HIPAA covered entities and business associates must know the necessary steps to take following a healthcare cyberattack. Failing to either notify overseeing agencies or properly alert patients could lead to numerous issues for an organization....

PHI Data Breach Leads to $387K OCR HIPAA Settlement

by Elizabeth Snell

St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) settled alleged HIPAA violations from a PHI data breach by paying $387,000 in an OCR HIPAA settlement. Formerly Spencer Cox Center for Health (the Spencer Cox Center), New York-based...

HHS Reiterates OCR Ransomware Guidance after Recent Attack

by Elizabeth Snell

The WannaCry ransomware attack should serve as a strong reminder to healthcare organizations to maintain necessary data security measures, including proper employee training. Adhering to the OCR ransomware guidance will also help covered entities...

Memorial Hermann Agrees to $2.4M OCR HIPAA Settlement

by Elizabeth Snell

Texas-based Memorial Hermann Health System (MHHS) recently agreed to a $2.4 million OCR HIPAA settlement following multiple allegations of inappropriate PHI disclosure. OCR conducted a compliance review after numerous media reports claimed that...

Lack of Business Associate Agreement Equals $31K Settlement

by Elizabeth Snell

The Center for Children’s Digestive Health (CCDH) recently settled potential HIPAA violations by not having a business associate agreement in place, and paid OCR $31,000. The Illinois-based healthcare provider underwent an OCR compliance...


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks