HHS fines Guam hospital over ransomware attack, HIPAA violations

The Guam Memorial Hospital Authority (GMHA) was fined $25,000 after two cyber incidents, including a ransomware attack, led to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The fine was issued as part of a settlement between GMHA and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which also requires GMHA to take several steps toward ensuring the protection of patients’ electronic protected health information (ePHI).

GMHA, a public hospital in the U.S. territory of Guam, which had more than 30,000 patient admissions in 2021 according to its website, suffered a ransomware attack in December 2018, according to the OCR resolution agreement.

HHS received a complaint about this attack in January 2019 and launched an investigation, during which another complaint was received in March 2023. This subsequent complaint involved unauthorized access to GMHA network systems by two former employees that same month.

The ransomware attack was ultimately found to have affected the ePHI of approximately 5,000 individuals. The March 2023 intrusion was reported by GMHA’s legal counsel to have been conducted from the U.S. mainland and led to a temporary shutdown of the healthcare organization’s nearly 100 computerized systems, the Pacific Daily News reported.

GMHA told the Pacific Daily News that there was no evidence patient information, financial information or employee records were accessed or tampered with, although the incident was noted to involve multiple instances of unauthorized access and was reported to the Federal Bureau of Investigation (FBI).

A nurse at the hospital also said during a GMHA town hall meeting that patients’ lives were put at risk due to the shutdown, which lasted for more than a week, according to Kandit News. GMHA also reportedly did not inform the Guam Attorney General about the intrusion until about two weeks after it was discovered.

The HHS investigation ultimately found that GMHA “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” it held, according to OCR.

As part of the resolution, GMHA will be required to conduct a thorough risk analysis and develop a risk management plan, as well as develop a process to regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports.

Additionally, GMHA must develop new policies and procedures for complying with HIPAA Privacy, Security and Breach Notification Rules, enhance its employee HIPAA and security training, review all access credentials that provide access to ePHI and conduct breach risk assessments for each of the prior incidents.

The agreement reached with GHMA is the 11^th enforcement action OCR has taken in relation to healthcare ransomware incidents. More than two-thirds of healthcare organizations reported being affected by ransomware in 2024, according to the Sophos State of Ransomware Report 2024.

Earlier this month, the office fined Northeast Radiology, P.C. (NERAD) $350,000 after unauthorized individuals accessed radiology images stored on NERAD’s Picture Archiving and Communication System (PACS) server for more than eight months, affecting the ePHI of nearly 300,000 patients.