HHS OCR Settles Second Ransomware Cyberattack
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland-based psychiatric practice. This settlement, made under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), follows an investigation into a ransomware attack that compromised the protected health information of more than 14,000 individuals.
Ransomware, malicious software designed to block access to data until a ransom is paid, has become increasingly prevalent, posing a significant threat to patient privacy and healthcare providers’ operations.
HHS Second Settlement
This settlement represents the second instance where OCR has taken action against a HIPAA-regulated entity in response to a ransomware attack.
Earlier, in November 2023, HHS concluded an investigation into a 2018 data breach involving Doctors’ Management Services, culminating in a settlement wherein they levied a penalty of US$100,000 to resolve the issue.
According to OCR Director Melanie Fontes Rainer, ransomware attacks leave patients extremely vulnerable, depriving them of access to their medical records and hindering informed decision-making about their health.
The severity of these cyberattacks highlights the urgent need for healthcare providers to implement enhanced cybersecurity measures to safeguard patients’ protected health information.
“These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware,” stated OCR Director Melanie Fontes Rainer in an official release.
Investigation Findings: HIPAA Violations
Green Ridge Behavioral Health reported a breach to OCR in February 2019, disclosing that their network server had been infected with ransomware, causing the encryption of company files and all patients’ electronic health records.
OCR’s subsequent investigation discovered potential violations of the HIPAA Privacy and Security Rule. Among these results, Green Ridge Behavioral Health did not undertake a thorough investigation to identify potential risks and vulnerabilities to electronically protected health information.
Furthermore, insufficient security measures were in place to reduce these risks to an acceptable level, and insufficient monitoring of health information system activity made them vulnerable to cyberattacks.
As part of the settlement, Green Ridge Behavioral Health has agreed to pay US$40,000 and undertake a corrective action plan overseen by OCR for three years.
Key components of the corrective action plan include conducting comprehensive risk analyses, designing a risk management plan, revising policies and procedures to comply with HIPAA Rules, providing workforce training, auditing third-party arrangements, and reporting non-compliance to OCR.
The settlement with Green Ridge Behavioral Health sheds light on the escalating cyber threat posed by ransomware and hacking in the healthcare sector. Over the past five years, there has been a significant increase in large breaches involving hacking and ransomware, with hacking alone accounting for 79% of large breaches reported to OCR in 2023.
Best Practices: Mitigating Cyber Threats
To mitigate and prevent cyber threats, OCR recommends several best practices for healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA.
These include reviewing vendor relationships to ensure appropriate agreements are in place, integrating risk analysis into business processes, implementing audit controls, utilizing multi-factor authentication, encrypting protected health information, providing regular training, and incorporating lessons learned from previous incidents into security management processes.
The settlement with Green Ridge Behavioral Health serves as a reminder of the critical importance of cybersecurity measures in protecting patient privacy and maintaining trust in the healthcare industry.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
