First ever HIPAA ransomware settlement announced by HHS

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has reached a settlement with Doctors' Management Services under the Health Insurance Portability and Accountability Act (HIPAA). 

This comes in light of a significant ransomware attack affecting over 200,000 individuals. The settlement, which includes a $100,000 fine and a corrective action plan, is a part of OCR's ongoing efforts to improve data security across the healthcare sector.

What happened

Doctors' Management Services experienced a ransomware attack, compromising the electronic protected health information (ePHI) of 206,695 individuals. The ransomware, known as GandCrab, initially gained unauthorized access to the network in April 2017 but wasn't detected until December 2018. This marks OCR's first settlement specifically related to a ransomware attack, and it includes a $100,000 payment from Doctors' Management Services as well as a corrective action plan to ensure HIPAA compliance.

Related: HIPAA Compliant Email: The Definitive Guide

By the numbers

Over the last four years, OCR has reported a 239% increase in large breaches due to hacking and a 278% increase in ransomware incidents. In 2023 alone, hacking has accounted for 77% of the large breaches reported to OCR, affecting over 88 million individuals—a 60% rise from last year.

Related: Executive summary: Q3 healthcare cybersecurity trends 

What they're saying

OCR Director Melanie Fontes Rainer highlighted the increasing prevalence of ransomware attacks targeting the healthcare system, saying, "Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches."

She stressed the importance of proactive measures, including regular reviews of risks and policies, to prevent future cyberattacks. 

Rainer noted, "In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks."

Between the lines

The investigation revealed several shortcomings on the part of Doctors' Management Services. These included failures to identify risks and vulnerabilities to their ePHI, insufficient monitoring to protect against cyberattacks, and inadequate policies and procedures under the HIPAA Security Rule.

Go deeper

Doctors' Management Services has agreed to implement a corrective action plan which includes a range of measures. These include updating their Risk Analysis and Risk Management Plan, revising their written policies and procedures, and conducting workforce training on HIPAA policies. OCR also recommends several best practices for healthcare providers to mitigate or prevent cyber threats, such as multi-factor authentication and encryption of ePHI.

What's next

Under the settlement terms, OCR will monitor Doctors' Management Services for three years to ensure ongoing compliance with HIPAA. This case will likely set a precedent for how OCR handles future ransomware-related breaches.