Florida Company Penalized $337K by Federal Authorities for Data Lost in Cyberattack

USR Holdings, a behavioral health holding company based in Florida, has agreed to a $337,750 settlement after a breach in 2018 resulted in the unauthorized deletion of electronic protected health information (ePHI) for approximately 3,000 patients. This incident raises critical questions about how organizations can prevent similar data loss issues in the future.

In conjunction with the financial penalty, USR Holdings, which serves as a business associate for various behavioral health centers, has also consented to a corrective action plan established in a resolution agreement with the U.S. Department of Health and Human Services (HHS), released on Wednesday.

The settlement follows an investigation triggered by a hacking incident that USR reported to the Office for Civil Rights (OCR) at HHS in February 2019. Records indicate that between August 23 and December 8, 2018, an unauthorized third party accessed a database containing ePHI and deleted critical information.

USR’s breach notification to the Massachusetts attorney general’s office indicated that the company observed unusual server activity related to its behavioral health centers on December 8, 2023. The affected facilities included USR’s subsidiaries, Amethyst Recovery Center and The Freedom Center, as well as New England Recovery and Wellness Center, which is owned by another entity.

The investigation, supported by a digital forensics firm, revealed that a USR staff member changed firewall configurations on August 23, 2023, inadvertently allowing an unknown actor to gain access to the database server.

The OCR’s inquiries into USR’s breach uncovered instances of possible noncompliance with HIPAA’s security and privacy regulations. Key findings indicated a lack of thorough risk assessments, inadequate monitoring of information system activity, and the absence of established procedures for maintaining retrievable copies of ePHI.

As part of its corrective measures, USR is now tasked with conducting a comprehensive risk analysis, implementing a risk management plan to address vulnerabilities, and reinforcing policies and procedures to comply with HIPAA regulations. Furthermore, HHS OCR has committed to monitoring USR’s compliance with HIPAA for two years following this settlement.

HHS OCR Director Melanie Fontes Rainer emphasized the need for healthcare organizations to actively monitor their information systems and maintain robust backup procedures for electronic health information. This vigilance is essential to ensure timely recovery of data in case of a cyber incident.

The breach at USR Holdings underscores a growing trend in the healthcare sector, where data deletion incidents have become increasingly common. Previous cases, such as the May 2021 breach involving 20/20 Eye Care and Hearing Care Network, which affected over 3 million individuals due to unauthorized access and subsequent data deletion, highlight the urgent need for enhanced cybersecurity measures across the industry.

As organizations reflect on this incident, the lessons are clear: comprehensive disaster recovery plans, regular monitoring, and advanced backup solutions are critical in mitigating risks and safeguarding sensitive data against evolving cyber threats.