Feds Levy First-Ever HIPAA Fine for Ransomware Data BreachMassachusetts Management Firm to Pay $100,000, Monitor HIPAA Compliance for 3 Years
A Massachusetts-based medical management firm holds the dubious honor of being the first ransomware victim fined for a data breach by the Department of Health and Human Services.
Doctors Management Group agreed to a $100,000 financial settlement and three years of HIPAA compliance monitoring following an investigation into a ransomware breach reported in 2019 as affecting nearly 206,700 individuals.
The Department of Health and Human Services' Office for Civil Rights on Tuesday said the settlement with the West Bridgewater, Massachusetts-based company is the agency's first HIPAA enforcement action in a case involving ransomware.
"Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system," said Melanie Fontes Rainer, HHS OCR director, in a statement. "This leaves hospitals and their patients vulnerable to data and security breaches," she said.
"In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
Since 2019, HHS OCR said, it has seen a 239% increase in major health data breaches reported to the agency involving hacking and a 278% increase in incidents involving ransomware.
"This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year," HHS OCR said.
HHS OCR's $100,000 settlement with Doctors Management Service resolved the agency's investigation into an attack involving GandCrab ransomware that the company reported in April 2019.
An investigation found that the initial unauthorized access to the company's network had occurred two years earlier - on April 1, 2017. "However, Doctors' Management Services did not detect the intrusion until Dec. 24, 2018, after ransomware was used to encrypt their files," HHS OCR said.
HHS OCR's investigation found several areas of potential HIPAA violations, including failure to conduct an accurate and thorough HIPAA security risk analysis; failure to implement procedures to regularly review records of information system activity, including audit logs, access reports and security incident tracking reports; and failure to implement reasonable and appropriate policies and procedures to comply with various other requirements of the HIPAA Security Rule.
Under the resolution agreement with HHS OCR, Doctors Management Service will implement a corrective action plan and undergo HIPAA compliance monitoring by the agency for three years.
The corrective actions Doctors Management Service must take include reviewing and updating its risk analysis to identify the potential risks and vulnerabilities affecting PHI, updating its enterprisewide risk management plan to mitigate any security risks and vulnerabilities found in the updated risk analysis, reviewing and revising its policies and procedures to comply with the HIPAA privacy and security rules, and providing workforce training on those policies and procedures.
Doctors Management Service Statement
Doctors Management Service in a statement provided to Information Security Media Group said it takes its recent fine from the federal government very seriously.
"While no patient data was proven to be taken or sold, we acknowledge the importance of safeguarding all healthcare information. As a proactive step, we have enhanced our security measures by moving PHI to the cloud and are actively working with regulators to ensure ongoing compliance. Our priority remains protecting patient privacy, and we are dedicated to learning from this experience and improving our data security practices to prevent any future breaches," the company said.
"We would like to clarify that we never paid the ransomware attacker and took immediate action to remove them from our systems. In response to the incident, we have implemented several measures to strengthen our data security. This includes discontinuing VPN connections within our organization and upgrading all employee hardware to ensure the highest level of protection."
The breach affected approximately 40 clients, the majority of whom practice in Massachusetts across various healthcare specialties, Doctors Management Services said. "Over the past five years, we have proactively collaborated with specialized legal and forensic IT experts, in addition to our compliance vendor, to consistently enhance our security protocols."
The settlement with Doctors Management Service is HHS OCR's ninth HIPAA enforcement action announced so far this year.
The largest HIPAA penalty so far in 2023 was a $1.25 million settlement with Arizona-based Banner Health in February for a 2016 hacking incident that affected nearly 3 million people.
Privacy attorney Kirk Nahra of the law firm WilmerHale said that while this enforcement case is driven by a ransomware attack, the ultimate findings do not appear to be specific to ransomware.
"They are the same kinds of alleged security failures that OCR has pursued in other situations for many years," he said.
Nonetheless, covered entities need to have an appropriate incident response plan for ransomware because of the potential implications for both privacy and business operations, he said.
"At the same time - and more important overall - companies need to have broad and appropriate comprehensive risk assessment and risk management activities to address any kind of potential security incident, ransomware or otherwise," he said.
"While OCR uses reported security incidents as a means of starting investigations, I hope that they also will continue to be thoughtful and reasonable about how companies approach their security operations and will not descend into a 'blame the victim' approach where companies in fact have implemented reasonable and appropriate security procedures in good faith."