Southern California physician services organization Providence Medical Institute has been fined $240,000 following three ransomware attacks against West Hills, Calif.-based Center for Orthopedic Specialists, according to an Oct. 4 report from Bank Info Security.
The attacks occurred within a three-week span in early 2018 and compromised the information of 85,000 patients.
The penalty against PMI is the agency's fifth ransomware HIPAA enforcement action to date.
PMI currently has 200 providers across 32 medical offices, including seven urgent-care centers.
The compromised servers hosted an eClinicalWorks electronic medical record system used by Center for Orthopedic Specialists, which PMI acquired in 2016. At the time of the attacks, the orthopedic group's IT systems had not been integrated into PMI's network and were supported by a third-party IT vendor. The attacks occurred between February and March 2018.
PMI allegedly violated HIPAA security rules by failing to have a business associate agreement in place with Creative Solutions in Computers and failing to implement policies and procedures to allow only authorized persons or software programs access to electronic patient health information.
Patient information compromised in the attacks included names, addresses, dates of birth, driver's license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers and other financial information.