Virtual Private Network Solutions, LLC Resolution Agreement and Corrective Action Plan

Resolution Agreement

I.  Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”).  HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations.  See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Virtual Private Network Solutions, LLC d/b/a VPN Solutions, LLC (“VPN Solutions”), is a business associate, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with provision of the HIPAA Rules.  VPN Solutions is a provider of data hosting, cloud services, user and application support to a number of HIPAA- regulated covered entities and business associates. It is based in Richmond, Virginia. 
   3. HHS and VPN Solutions shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct. On December 30, 2021, VPN Solutions filed a notice of breach on behalf of twelve covered entities, which had delegated their responsibility to report the breach, to the Secretary of Health and Human Services.¹  The breach report indicated that VPN Solutions experienced a ransomware attack on its server, which resulted in the encryption of covered entity data.  VPN Solutions reported that it became aware of the attack on October 31, 2021.  The initial report indicated that the types of data encrypted as a result of the ransomware attack included names, addresses, dates of birth, driver’s license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information. 
   
   HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”):

a. VPN Solutions has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds. See 45 C.F.R. § 164.308(a)(1)(ii)(A).

3. No Admission. This Agreement is not an admission of liability by VPN Solutions.
4. No Concession. This Agreement is not a concession by HHS that VPN Solutions is not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number 22-461454 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement.  In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

6. Payment. HHS has agreed to accept, and VPN Solutions has agreed to pay HHS the amount of $90,000 (“Resolution Amount”).  VPN Solutions agrees to pay the Resolution Amount in one lump-sum on or before fifteen (15) days of the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions provided by HHS.
7. Corrective Action Plan.  VPN Solutions has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference.  If VPN Solutions breaches the CAP and fails to cure the breach as set forth in the CAP, then VPN Solutions will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS.  In consideration of and conditioned upon VPN Solutions’ performance of its obligations under this Agreement, HHS releases VPN Solutions from any actions it may have against VPN Solutions under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release VPN Solutions from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Party.  VPN Solutions shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement.  VPN Solutions waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160, Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors.  This Agreement is binding on VPN Solutions and its successors, heirs, transferees, and assigns.
11. Costs.  Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases.  This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement.  Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date.  The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
15. Tolling of Statute of Limitations.  Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, VPN Solutions agrees that the time between the Effective Date of this Agreement (as set forth in paragraph II.14) and the date the Agreement may be terminated by reason of VPN Solutions’ breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement.  VPN Solutions waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure.  HHS places no restriction on the publication of the Agreement.  However, HHS agrees that it shall not disclose the name or other identifying information related to VPN Solutions’ clients in any online publication, media release, or other external publication, description or summary of the Agreement.    
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
18. Authorizations.  The individual(s) signing this Agreement on behalf of VPN Solutions represent and warrant that they are authorized by VPN Solutions to execute this Agreement.  The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For VPN Solutions 

/s/
John Moore, President
Virtual Private Network Solutions, LLC

Dated: 11/13/2024

For the United States Department of Health and Human Services

/s/
Jamie Rahn Ballay, Regional Manager
Office for Civil Rights, Mid-Atlantic Region

Dated: 11/15/2024

Appendix A

Corrective Action Plan

Between the

U.S. Department of Health and Human Services
and

Virtual Private Network Solutions, LLC d/b/a VPN Solutions, LLC

I.   Preamble

Virtual Private Network Solutions, LLC d/b/a VPN Solutions, LLC (hereinafter “VPN Solutions”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”).  Contemporaneously with this CAP, VPN Solutions is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A.   VPN Solutions enters into this CAP as part of the consideration for the release set forth in paragraph II.8 of the Agreement.

II.   Contact Persons and Submissions

1. Contact Persons. 
   
   VPN Solutions has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: 
   
   John Moore, President 
   VPN Solutions LLC
   1403 Pemberton Road, Suite 306
   Richmond, VA 23238
   
   HHS has identified the following individual as its authorized representative and contact person with whom VPN Solutions is to report information regarding the implementation of this CAP: 
   
   Jamie Rahn Ballay, Regional Manager
   Office for Civil Rights, Mid-Atlantic Region
   U.S. Department of Health and Human Services
   801 Market Street, Suite 9300
   Philadelphia, PA 19107
   
   VPN Solutions and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
2. Proof of Submissions.
   Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided that there is proof that such notification was received.  For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.   Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.13 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by VPN Solutions under this CAP shall begin on the Effective Date of this CAP and end one (1) year from the Effective Date, unless HHS has notified VPN Solutions under section VIII hereof of its determination that VPN Solutions has breached this CAP.  In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies VPN Solutions that it has determined that the breach has been cured.  After the Compliance Term ends, VPN Solutions shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII.

IV.   Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days.  The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V.   Corrective Action Obligations

VPN Solutions agrees to the following:

1. Conduct a Risk Analysis
   1. VPN Solutions shall conduct and complete an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by VPN Solutions or its affiliates that are owned, controlled or managed by VPN Solutions that contain, store, transmit or receive ePHI. As part of this process, VPN Solutions shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and application that contain or store ePHI which will then be incorporated in its risk analysis. The risk analysis will include vulnerability scans and penetration testing.
   2. Within 30 calendar days of the Effective Date, VPN Solutions shall submit to HHS the scope and methodology by which it proposes to conduct the risk analysis. HHS shall notify VPN Solutions whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
   3. VPN Solutions shall provide the risk analysis, consistent with paragraph V.B.l., to HHS within 90 days of HHS's approval of the scope and methodology described in paragraph V.B.2 for HHS's review.
   4. Upon submission by VPN Solutions, HHS shall review and recommend changes to the aforementioned risk analysis. If HHS requires revisions to the Risk Analysis, HHS shall provide VPN Solutions with a written explanation of such required revisions in order for VPN to be able to prepare a revised Risk Analysis.  Upon receiving HHS’s recommended changes, VPN Solutions shall have 30 calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis.
   5. VPN Solutions shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by VPN Solutions, affiliates that are owned, controlled, or managed by VPN Solutions, and document the security measures VPN Solutions implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP.
2. Develop and Implement a Risk Management Plan
   1. VPN Solutions shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis specified in section V.A.1. above, including any risk and vulnerabilities pertaining to the accessibility of ePHI. The risk management plan shall include a process and timeline for VPN Solutions’ implementation, evaluation, and revision of its risk remediation activities.
   2. Within 90 calendar days of HHS’s final approval of the risk analysis described in section V.C.1 above, VPN Solutions shall submit a risk management plan to HHS for HHS’s review and approval. HHS shall approve, or, if necessary, require revisions to VPN Solutions’ risk management plan.  If HHS requires revisions to the Risk Management Plan, HHS shall provide VPN Solutions with a written explanation of the basis of its revisions that VPN Solutions can use to prepare a revised Risk Management Plan.
   3. Upon receiving HHS’s notice of required revisions, if any, VPN Solutions’ shall have 60 calendar days to revise the risk management plan accordingly and forward for review and approval. This process shall continue until HHS approves the risk management plan.
   4. Within 30 calendar days of HHS’s approval of the risk management plan, VPN Solutions shall finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures.
3. Policies and Procedures
   1. VPN Solutions shall review, and as necessary, develop, or revise written policies and procedures to address the Minimum Content set forth in Section V.D. to comply with the HIPAA Rules.
   2. VPN Solutions shall provide the policies and procedures identified in section V.B.1 above to HHS for review and approval within sixty (60) days of HHS’ approval of the Risk Management Plan, as required by V.A.4. Upon receiving any recommended changes to such policies and procedures from HHS, VPN Solutions shall have forty-five (45) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. If HHS requires revisions to the policies and procedures, HHS shall provide VPN Solutions with a written explanation of the basis of its revisions VPN Solutions can use to prepare revised policies and procedures.  This process shall continue until HHS approves such policies and procedures.
   3. VPN Solutions shall adopt (in accordance with its applicable administrative procedures) the policies and procedures approved by HHS pursuant to section V.B.2 within thirty (30) days of receipt of HHS’ approval.

4. Minimum Content of the Policies and Procedures

   1. The Policies and Procedures subject to this CAP shall include policies and procedures that address the following Privacy and Security Rule provisions:

   a. Risk Analysis---45 C.F.R. § 164.308(a)(1)(ii)(A), including provisions to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by MMG and to conduct the accurate and thorough assessment on an annual basis.

   b. Risk Management---45 C.F.R. § 164.308(a)(1)(ii)(B), including provisions to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

   c. Security Awareness and Training---45 C.F.R. § 164.308(a)(5), including implementation of a security awareness and training program for all workforce members.

   d. Security Incident Procedures---45 C.F.R. § 164.308(a)(6), including Implementing policies and procedures to address security incidents.

   e. Data Backup Plan---45 C.F.R. § 164.308(a)(7), including establishing and implementing procedures to create and maintain retrievable exact copies of electronic protected health information.

   f. Breach Notification Rule---including as relates to breach risk assessments at 45 C.F.R. § 164.402 and notification by a business associate at 45 C.F.R. § 164.410.

5. Breach Assessment and Breach Notification
   1. Within thirty (30) days of the Effective Date, VPN Solutions shall provide HHS with its breach risk assessment of the October 31, 2021 ransomware attack pursuant to 45 C.F.R. § 164.402. Such assessment shall include a complete and accurate list of all covered entity clients of VPN Solutions that were affected by the breach incident.
   2. HHS shall review and provide feedback to VPN Solutions on the breach risk assessment’s accuracy and thoroughness within thirty (30) days of receipt. If HHS requires revisions to the breach risk assessment, HHS shall provide VPN Solutions with a written explanation of the basis of its revisions, including comments and recommendations that VPN Solutions can use to prepare revised breach risk assessment. VPN Solutions shall incorporate HHS’s feedback, if any, into the breach risk assessment and re-submit to HHS for approval or additional feedback within ten (10) days of receipt. This process shall continue until HHS approves the breach risk assessment.
   3. Within thirty (30) days of HHS’s approval of the breach risk assessment, VPN Solutions shall provide HHS with evidence that VPN Solutions has provided notice pursuant to 45 C.F.R. § 164.410 to any and all affected covered entities that were affected by the breach incident.
   4. Within thirty (30 days) of HHS’s approval of the breach risk assessment, VPN Solutions shall provide HHS with evidence that it has, to the extent possible, provided to affected covered entities the identification of each individual whose PHI has been, or is reasonably believed by VPN Solutions to have been, accessed, acquired, used, or disclosed as a result of the October 31, 2021, ransomware attack.

VI.  Reportable Events

1. During the Compliance Term, VPN Solutions shall, upon learning that a workforce member likely failed to comply with its policies and procedures described in Section V.C., promptly investigate this matter. If VPN Solutions, after review and investigation, determines that a member of its workforce has failed to comply with its policies and procedures, VPN Solutions shall report such events to HHS as provided in Section VI.B.1.c on a quarterly basis. Such violations shall be known as Reportable Events. The report to HHS shall include the following:

a. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of VPN Solutions’ Privacy, Security, and Breach Notification policies and procedures; and

b. A description of the actions taken and any further steps VPN Solutions plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures.

c. If no Reportable Events occur during the Compliance Term, VPN Solutions shall so inform HHS in the Annual Report as specified in Section VII below.

 VII.  Implementation Report and Annual Report

1. Implementation Report.
   1. Within 120 calendar days after the receipt of HHS’s approval of all the policies and procedures required by section V.C., VPN Solutions shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP.  This report, known as the “Implementation Report,” shall include:

a. An attestation signed by an owner or officer of VPN Solutions attesting that the risk management plan approved by HHS in section V.D. is being implemented;

b. An attestation signed by an owner or officer of VPN Solutions stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

2. Annual Report.
   1. Within 60 calendar days after the close of the Compliance Term, VPN Solutions shall submit a report to HHS regarding VPN Solutions’ compliance with this CAP.  This report, known as the “Annual Report,” shall include:

a. An attestation signed by an officer or owner of VPN Solutions attesting that any revision(s) to the risk management plan required by section V.D. were adopted and implemented.

b. A summary of Reportable Events (defined in section V.G.), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of VPN Solutions stating that no Reportable Events occurred during the Compliance Term.

c. An attestation signed by an owner or office of VPN Solutions attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VIII. Document Retention

VPN Solutions shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

IX. Breach Provisions

VPN Solutions is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions. VPN Solutions may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP.  A “timely written request” is defined as a request in writing received by HHS at least 7 calendar days prior to the date such an act is required or due to be performed. HHS shall respond to requested extensions within 3 calendar days of the request.
2. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by VPN Solutions constitutes a breach of the Agreement. Upon a determination by HHS that VPN Solutions has breached this CAP, HHS may notify VPN Solutions of: (1) VPN Solutions’ breach; and (2) HHS’s intent to impose a civil money penalty (CMP), pursuant to 45 C.F.R. Part 160, or other remedies, for the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy, Security, and Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
3. VPN Solutions Response. VPN Solutions shall have 30 calendar days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:
   1. VPN Solutions is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. the alleged breach has been cured; or
   3. the alleged breach cannot be cured within the 30-day period, but that: (a) VPN Solutions, has begun to take action to cure the breach; (b) VPN Solutions is pursuing such action with due diligence; and (c) VPN Solutions has provided to HHS a reasonable timetable for curing the breach.
   4. HHS shall not unreasonably withhold its satisfaction of VPN Solutions’ compliance with Section VIII(C).
4. Imposition of CMP. If at the conclusion of the 30-day period, VPN Solutions fails to meet the requirements of section VIII.C of this CAP to HHS’s satisfaction or the Parties cannot agree to a mutual resolution per section VIII.C, HHS may proceed with the imposition of the CMP against VPN Solutions pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify VPN Solutions in writing of its determination to proceed with the imposition of the CMP. VPN Solutions reserves all rights to dispute HHS’ determination, in law and equity.  HHS must offset any CMP amount levied under this section by the amounts already paid by VPN Solutions, in lieu of CMPs under this Resolution Agreement.  Any such offset will apply only to Covered Conduct up to and including the Effective Date.

For Virtual Private Network Solutions, LLC:

/s/
John Moore, President
Virtual Private Network Solutions, LLC

Dated: 11/13/2024

For the United States Department of Health and Human Services

Jamie Rahn Ballay, Regional Manager 
Office for Civil Rights
Mid-Atlantic Region

Dated: 11/15/2024

Endnotes:

¹  The covered entities for which it reported are: (1) My Hoa Kaas, DPM, P.C. d/b/a Virginia Foot and Ankle Center (Fairfax, Virginia); (2) Capital Foot Care (Henrico, Virginia); (3) Growing Child Pediatrics (Raleigh, North Carolina); (4) Fredricksburg Foot & Ankle Center (Fredricksburg, Virginia); (5) Leelama George, M.D. (Colonial Heights, Virginia); (6) Haymarket Pediatrics (Haymarket, Virginia); (7) Kaplansky Foot & Ankle Centers (Columbus, Ohio); (8) NOVA Cardiovascular Care (Mclean, Virginia); (9) Pediatric & Adolescent Health Partners (Midlothian, Virginia); (10) Pediatric Partners of Virginia, LLC (Henrico, Virginia); (11) Williamsburg Square Family Practice (Lorton, Virginia); and (12) Virginia Foot & Ankle Center, P.C. (Richmond, Virginia).