Cyber Attack Leads to $100K Settlement for Business Associate | Saul Ewing LLP
- The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $100,000 settlement with Doctors’ Management Services (DMS), a Massachusetts medical management company for a HIPAA breach due to a ransomware attack that affected the electronic protected health information (ePHI) of 206,695 individuals. This is the first OCR settlement following a ransomware attack.
- DMS had an unauthorized access to its network server on April 1, 2017, which led to a ransomware infection, but the malware intrusion was not detected until December 24, 2018. OCR found that DMS lacked a comprehensive risk analysis plan and sufficient health information system monitoring measures to protect against a cyber attack. It also lacked policies and procedures in line with the HIPAA Security Rule.
- As part of the settlement agreement, DMS has to pay $100,000, will be monitored by OCR for three years, and has to implement a corrective action plan (CAP) which includes the updating of its Risk Analysis and Risk Management Plan, revising its written policies and procedures to comply with the HIPAA Privacy and Security Rules, and provide workforce training relating to its policies and procedures. OCR has reported a significant increase in data breaches due to hacking and ransomware in the past four years, particularly affecting the healthcare sector.
HHS Announces HIPAA Settlement Following Ransomware Attack
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has settled for $100,000 with Doctors’ Management Services (DMS), a Massachusetts medical management company. This agreement concludes an investigation into a ransomware attack that affected the electronic protected health information (ePHI) of over 206,000 individuals. Given that this is OCR’s first ransomware-related settlement, it underscores the growing cyber threats in healthcare.
Key Points from the Settlement
- DMS, a HIPAA business associate, faced a ransomware attack due to undetected malware. This led to a significant data breach and a $100,000 settlement with OCR.
- Organizations must review and update their HIPAA Risk Analysis to identify potential risks and vulnerabilities. Workforce training and updated Risk Management Plans can help prevent cyber threats.
The Breach and OCR Investigation
DMS reported the breach to HHS in April 2019, with the initial unauthorized access occurring in April 2017. The intrusion remained undetected until December 2018, revealing serious security lapses. OCR found DMS lacking in risk analysis, system monitoring, and adequate HIPAA security policies.
Settlement Agreement and Corrective Action Plan
Under the settlement, DMS must pay $100,000 and implement a corrective action plan (CAP) to ensure HIPAA compliance and protect ePHI’s security. OCR will further monitor DMS for three years. The CAP requires DMS to update its Risk Analysis, Risk Management Plan, and written policies besides providing workforce training. The resolution agreement and corrective action plan can be viewed here.
Increase in Cyber Threats in Healthcare
OCR reported a 239% increase in large breaches involving hacking and a 278% increase in ransomware over the past four years. OCR Director Melanie Fontes Rainer emphasized the need for healthcare systems to address cybersecurity vulnerabilities proactively.
Best Practices to Mitigate Cyber Threats
OCR recommends healthcare providers and business associates employ practices like thorough vendor and contractor checks, audit controls, and multi-factor authentication. Additionally, regular risk analysis, encryption of ePHI, and workforce training are crucial for safeguarding data. More guidance on the Privacy Rule, Security Rule, and Breach Notification Rules can be found on OCR’s website.
Importance of Regular Risk Analysis and Workforce Training
Regular risk analyses, updates to the Risk Analysis Plan, and workforce training on HIPAA policies are essential for avoiding unauthorized breaches and the associated costs, both economic and reputational.
—
Read More Health & Wellness News ; US News
Leave a Comment