HHS Settles Ransomware Investigation With Behavioral Health Provider

February 23, 2024 - Green Ridge Behavioral Health agreed to pay $40,000 and implement corrective actions to resolve a ransomware investigation conducted by the HHS Office for Civil Rights (OCR). This marks the second-ever ransomware settlement that OCR has reached after launching an investigation in the wake of a ransomware attack and discovering potential HIPAA violations.

The first was announced in November 2023, when a Massachusetts-based medical management company agreed to pay $100,000 to resolve potential violations stemming from a 2018 ransomware attack.

In the case of Green Ridge Behavioral Health, a Maryland-based practice that provides psychotherapy, medication management, and psychiatric evaluations, the investigation began in February 2019, when the practice filed a breach report with OCR.

The breach report stated that ransomware had infected Green Ridge’s network, resulting in the encryption of electronic health records and company files. The breach impacted the data of more than 14,000 individuals.

OCR’s investigation uncovered evidence of potential HIPAA Privacy and Security Rule violations that occurred before and during the ransomware attack. OCR claimed that Green Ridge failed to conduct a thorough risk analysis to determine potential vulnerabilities to electronic protected health information.

What’s more, OCR said that Green Ridge failed to implement security measures to reduce risk and failed to sufficiently monitor its health information systems’ activity to protect against an attack.

Under the terms of the settlement, Green Ridge agreed to conduct a thorough risk analysis, design a risk management plan to address vulnerabilities, and provide workforce training on HIPAA policies. In addition, Green Ridge will conduct an audit of third-party vendors to ensure that business associate agreements are in place, and report to OCR if workforce members fail to comply with HIPAA.

“Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer.

“These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

OCR stressed the importance of mitigating cyber threat risks across the sector, especially considering that there has been a 256 percent increase in large breaches reported to OCR involving hacking in the last five years.

OCR recommended that all covered entities review vendor relationships, leverage multi-factor authentication, and implement regular reviews of information system activity.