HHS Settles its First-Ever Ransomware Investigation for $100,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first-ever ransomware settlement. The investigation of the ransomware attack on Doctors’ Management Services uncovered multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) and a $100,000 settlement was agreed upon.

The healthcare industry has been extensively targeted by ransomware gangs over the past 5 years, resulting in hundreds of data breaches. All healthcare data breaches of 500 or more records are investigated by OCR to determine whether the failure to comply with HIPAA was to blame, but no investigation has resulted in a financial penalty until now. The attack in question involved GandGrab ransomware. GandCrab ransomware was first identified in late January 2018 and was used by a ransomware-a-service group for around a year and a half before the operation was shut down. During those 18 months, GandCrab was one of the most popular ransomware variants.

Doctors’ Management Services detected its attack on December 24, 2018, when files on its network were encrypted. The attack was investigated and the initial access to its network was determined to have occurred on April 1, 2017, around 20 months before ransomware was deployed. OCR determined that the failure to detect the intrusion was a violation of the HIPAA Security Rule, which requires logs to be maintained and routinely monitored for signs of compromise. OCR also found insufficient evidence to suggest comprehensive, organization-wide risk analyses were conducted to identify risks and vulnerabilities to electronic protected health information.  The failure to conduct an accurate risk analysis is one of the most common HIPAA Security Rule failures identified by OCR in its investigations of data breaches. OCR also determined that there were insufficient policies and procedures for implementing all requirements of the HIPAA Security Rule.

In addition to the financial penalty, Doctors’ Management Services has agreed to implement a corrective action plan to address all issues identified by OCR during the investigation, and OCR will monitor Doctors’ Management Services for 3 years to ensure HIPAA compliance with the corrective action plan. In the announcement about the settlement, OCR explained that there has been a 239% increase in large healthcare data breaches over the past four years and a 278% increase in ransomware attacks on U.S. healthcare organizations. Given the number of data breaches that have been reported to OCR that are linked to ransomware, this is unlikely to be the last financial penalty for a ransomware attack.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

Last month, as part of Cybersecurity Awareness Month, OCR also released a video presentation that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against ransomware and other cyberattacks.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA