On Halloween, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $100,000 settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services (DMS), a Massachusetts medical management company that provides medical billing and payor credentialing and other services for HIPAA-covered entities. The $100,000 settlement resolves an investigation following a ransomware attack that affected the electronic protected health information (ePHI) of 206,695 individuals. Importantly, this is the first (but probably not the last) OCR settlement following a ransomware attack. Ransomware is a type of malicious software (malware) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.

What You Need to Know:

• A medical management company that is a HIPAA business associate had an undetected malware that led to a ransomware attack affecting the ePHI of 206,695 individuals and a $100,000 settlement and CAP with OCR.
• Reviewing and updating an organization’s HIPAA Risk Analysis to identify potential risks and vulnerabilities, updating a Risk Management Plan to address and mitigate identified security risks and vulnerabilities, and workforce training are among the best practices to mitigate or prevent cyber threats.

DMS filed a breach report with HHS on April 22, 2019. Importantly, HHS OCR noted that the initial unauthorized access to DMS occurred on April 1, 2017, when the DMS network server was infected with GandCrab ransomware. DMS did not detect the malware intrusion until December 24, 2018 – more than 20 months after the breach took place.   

OCR’s investigation noted that DMS did not have in place an analysis to determine the potential risks and vulnerabilities to ePHI across the organization. OCR also found that DMS insufficiently monitored its health information systems’ activity to protect against a cyber attack and lacked policies and procedures to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of ePHI.

Pursuant to the settlement agreement, in addition to paying $100,000, OCR will monitor DMS for three years to ensure HIPAA compliance and implement a corrective action plan (CAP) to protect DMS’s security of ePHI. The CAP requires DMS to:

• Review and update DMS’s Risk Analysis to identify potential risks and vulnerabilities to DMS data to protect the confidentiality, integrity, and availability of ePHI;
• Update DMS’s enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis;
• Review and revise, if necessary, DMS’s written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
• Provide workforce training relating to its policies and procedures.

The resolution agreement and corrective action plan may be found here.

OCR noted in its press release announcing this settlement that it has been working with health insurers, health care providers, and clearinghouses that are required to comply with HIPAA to ensure better data security and address ransomware and hacking - the primary cyber threats in health care. In the past four years, OCR noted there has been a 239 percent increase in large breaches involving hacking and a 278 percent increase in ransomware. Hacking accounted for 77 percent of the large breaches reported to OCR in 2023, affecting over 88 million individuals and amounting to a 60 percent increase from the previous year. OCR Director Melanie Fontes Rainer noted in the OCR press release that the DMS settlement highlights how ransomware attacks are increasingly common and targeting the health care system, leaving hospitals and their patients vulnerable to data and security breaches. Ms. Rainer also advised U.S. health care systems to take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly reviewing risks, records, and updating policies to prevent future attacks.

OCR recommends that health care providers, health plans, clearinghouses, and business associates use the following best practices to mitigate or prevent cyber threats:

•  Review all vendor and contractor relationships to ensure that business associate agreements are in place as appropriate and address breach/security incident obligations;
• Integrate risk analysis and risk management into business processes;
•  Conduct risk analysis and risk management regularly and when new technologies and business operations are planned;
• Ensure audit controls are in place to record and examine information system activity;
• Implement regular review of information system activity;
• Use multi-factor authentication to ensure that only authorized users are accessing ePHI;
• Encrypt ePHI to guard against unauthorized access to ePHI;
• Incorporate lessons learned from incidents into the overall security management process;
• Provide training specific to organization and job responsibilities and on regular basis; and
• Reinforce workforce members’ critical role in protecting privacy and security.

OCR regularly provides guidance and information to the health care industry to support data privacy and security, and guidance about the Privacy Rule, Security Rule, and Breach Notification Rules is located on OCR’s website. 

October was Cybersecurity Awareness month and OCR hosted a webinar discussing the HIPAA Security Rule Risk Analysis Requirement. OCR published the following documents to support improved cybersecurity:

Regular risk analyses, updates to a Risk Analysis Plan, and workforce training on HIPAA policies and procedures are critically important to HIPAA-covered entities and business associates, hopefully to avoid unauthorized network intrusions and the resulting costs, both economic and reputational, associated with breaches and an OCR investigation.