THE U.S. Department of Health and Human Services (HHS) announced a settlement with Spencer Gifts LLC's health plan over HIPAA violations related to a data breach that potentially affected the personal health information (PHI) of 10,023 individuals. Following the breach, which involved unauthorized access and ransomware deployment, OCR's investigation revealed failures in risk analysis and adherence to HIPAA Privacy and Security Rules.
As part of the settlement, Spencer Gifts LLC's plan will pay $450,000 and follow a two-year corrective action plan that includes comprehensive risk assessments and workforce training. OCR also recommended additional security measures for organizations handling ePHI.