Topics
More on Compliance & Legal

HHS settles $100K ransomware investigation

Doctors' Management Services failed to determine the potential risks and vulnerabilities in the breach, HHS says.

Jeff Lagasse, Editor

Photo: Joos Mind/Getty Images

Massachusetts-based medical management company Doctors' Management Services will pay the Department of Health and Human Service and the Office of Civil Rights $100,000 in a settlement over a ransomware attack.

The HIPAA Privacy, Security, and Breach Notification Rules require HIPAA-regulated entities to protect the privacy and security of health information. The $100,000 settlement resolves a large breach report regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals.

This marks the first ransomware agreement OCR has reached, the agency said.

October is Cybersecurity Awareness Month, and OCR has been working with health insurers, providers and clearinghouses covered by HIPAA to ensure better data security. Ransomware and hacking are the primary cyber-threats in healthcare, the agency said. 

In the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. 

Additionally, the large breaches reported this year have affected over 88 million people, a 60% increase from last year.

WHAT'S THE IMPACT?

On April 22, 2019, Doctors' Management Services filed a breach report with HHS saying that about 206,695 people were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017, but Doctors' Management Services didn't detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

It found evidence of potential failures by Doctors' Management Services to have an analysis in place to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems' activity to protect against a cyberattack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality and availability of electronic protected health information.

Under the terms of the settlement agreement, OCR will monitor Doctors' Management Services for three years to ensure compliance with HIPAA. In addition, the company has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps it should take to resolve potential violations of the HIPAA Privacy and Security Rules.

Doctors' Management Services will be compelled to review and update its risk analysis to identify the potential risks and vulnerabilities to its data; update its enterprise-wide risk management plan; review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules; and provide workforce training on HIPAA policies and procedures.

THE LARGER TREND

A proofpoint and Ponemon Institute survey last month found patient care is under threat from cyberattacks, particularly supply chain and business email compromise (BEC) attacks, as more and more healthcare organizations are grappling with the cost and headache associated with them.

Eighty-eight percent of the surveyed organizations experienced an average of 40 attacks in the past 12 months. The average total cost of a cyberattack was $4.99 million, a 13% increase from the previous year.

Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain and BEC – an average of 66% reported disruption to patient care. Specifically, 57% reported poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates.

Ransomware remains an ever-present threat to healthcare organizations, even though concerns about it are on the decline: Some 54% of respondents say their organization suffered a ransomware attack, up from 41% in 2022. However, ransomware fell to the bottom of threat concerns, with only 48% of respondents saying this threat concerns them the most, compared to 60% last year.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com