HHS Reaches Settlement With Healthcare Business Associate Following Ransomware Attack

November 01, 2023 - The HHS Office for Civil Rights (OCR) announced a $100,000 settlement to resolve a data breach investigation with Doctors’ Management Services, a Massachusetts-based medical management company and healthcare business associate that suffered a ransomware attack in 2018. The settlement marks the first-ever ransomware agreement that OCR has reached.

In April 2019, Doctors’ Management Services filed a breach report with HHS, acknowledging that 206,695 individuals were impacted by a cyberattack carried out by GandCrab ransomware actors. Although the report was filed in 2019, the initial intrusion occurred in 2017. Doctors’ Management Services only detected the breach in December 2018, when ransomware was used to encrypt its files.

OCR launched an investigation following the breach report and found evidence of potential failures, including a failure to analyze risks and vulnerabilities to electronic protected health information. Other potential failures included insufficient monitoring of its health information systems to protect against a cyberattack, and a lack of policies in place to implement the HIPAA Security Rule’s requirements.

In addition to the $100,000 settlement, Doctors’ Management Services agreed to implement a corrective action plan. The corrective action plan consists of updating its enterprise-wide risk management plan to address security risks and vulnerabilities, and reviewing and updating its risk analysis process.

In addition, Doctors’ Management Services agreed to review and revise its written policies and procedures to comply with the HIPAA Privacy and Security Rules, if necessary, and to provide workforce training on HIPAA policies.

OCR also said that it will monitor the company for three years to ensure HIPAA compliance going forward.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer.

“In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

Ransomware and other hacking incidents remain a top threat to healthcare, as exemplified by the breach reports that HHS has received in recent years. There has been a 239 percent increase in large breaches reported to OCR involving hacking in the past four years, OCR stated.

What’s more, 77 percent of the large breaches reported to HHS this year have been attributed to hacking. OCR recently divulged these figures in an educational video on the HIPAA Security Rule. The video aimed to help covered entities understand the value of the HIPAA Security Rule in helping them recover from cyberattacks.

Even with the multitude of resources available to healthcare organizations, it can be difficult to mitigate risk and prevent cyberattacks within a highly targeted industry. OCR recommended that healthcare organizations, health plans, clearinghouses, and business associates review vendor relationships, conduct risk analyses, and leverage multi-factor authentication, among other safeguards.

The HIPAA Security Rule’s requirements provide a roadmap for mitigating risk through compliance activities, and can help organizations avoid noncompliance penalties and investigations.