Guam Hospital Settles HIPAA Investigation with Federal Government for $25,000

The Guam Memorial Hospital Authority has consented to a $25,000 payment to federal regulators while agreeing to implement a corrective action plan addressing potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This agreement is a result of identified shortcomings during an investigation into two security incidents, notably a failure to conduct a thorough risk assessment.

According to the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR), this settlement relates to a complaint received in January 2019 regarding a ransomware attack from December 2018 that compromised the protected health information of approximately 5,000 individuals. Subsequently, the agency received an additional complaint against the hospital on March 17, 2023, which indicated that two former staff members accessed the hospital’s network post-employment.

HHS OCR’s findings emphasized the hospital’s lack of a comprehensive and accurate risk analysis, which is essential for identifying potential vulnerabilities related to electronic protected health information (ePHI). In a statement, Anthony Archeval, the acting director of HHS OCR, noted, “Ransomware and hacking are the primary cyberthreats to ePHI in the healthcare sector.” He stressed that inadequate risk assessments heighten the risk of future attacks.

The corrective action framework outlined by GMHA necessitates strict adherence to the HIPAA Security Rule. This includes conducting a complete risk analysis to recognize weaknesses in ePHI security, developing a risk management strategy to mitigate discovered vulnerabilities, and enhancing its training programs for all employees regarding HIPAA compliance. Furthermore, GMHA will systematically review records of system activities and sharpen its access management protocols.

While GMHA has not provided a comment regarding the settlement, this action marks HHS OCR’s 11th enforcement focused on ransomware offenses, and notably the seventh since the initiation of its Risk Analysis Initiative in 2024. The resolution with GMHA is the 10th HIPAA enforcement action disclosed by HHS OCR in 2025, highlighting the ongoing challenges faced within the healthcare sector in safeguarding sensitive information.

This enforcement case serves as a crucial reminder for organizations, particularly within the healthcare domain, to prioritize rigorous cybersecurity measures, including comprehensive risk analyses. Such measures can help in thwarting illicit access and ensuring compliance with federal regulations, thereby protecting both the organization and the individuals whose data it manages.