The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement for a ransomware cyber attack. This is only the second-ever settlement case for ransomware attacks.
What happened
On February 22nd, the OCR announced a settlement with Green Ridge Behavioral Health. Green Ridge is a Maryland-based healthcare practice providing psychiatric evaluations, medication management, individual psychotherapy, and suboxone treatment.
The settlement follows a data breach Green Ridge faced back in 2019. In February of that year, Green Ridge faced a ransomware attack resulting in data encryption of electronic health records and other company files. The practice filed a breach report with the OCR, which triggered an investigation into the incident. During the investigation, the OCR determined that Green Ridge may have been in violation of HIPAA regulations.
The OCR and Green Ridge settled the case, with Green Ridge agreeing to pay $40,000. Under the settlement terms, Green Ridge did not have to admit any liability.
Going deeper
When Green Ridge experienced the attack, they determined it impacted more than 14,000 individuals. In the OCR’s investigation of the incident, they found that Green Ridge:
- Failed to have an accurate analysis of potential risks and vulnerabilities for electronically protected health information,
- Did not implement security measures to reduce risks and vulnerabilities,
- Did not sufficiently monitor health information systems for suspicious activity.
In addition to the $40,000 fine, Green Ridge is implementing a corrective plan which includes:
- Conducting a comprehensive analysis of potential risks and vulnerabilities of electronically protected health information,
- Creating a Risk Management Plan to address potential risks and vulnerabilities,
- Reviewing or revising policies to comply with HIPAA,
- Providing workforce training on HIPAA regulations,
- Conducting an audit on third-party arrangements to ensure business associate agreements are in place, and
- Reporting any HIPAA compliance complaints with the OCR.
Why it matters
As the second settlement regarding ransomware, the case shows that the HHS is beginning to hold healthcare organizations responsible for preventing attacks and breaches.
Cybercriminals are sophisticated and well-adept in breaching healthcare organizations. While attacks are now harder to prevent, healthcare organizations are still held to high standards of diligence to protect data.
Healthcare organizations should carefully consider the steps required of Blue Ridge and ensure they are already meeting HIPAA requirements.
What was said
The Director of the OCR, Melanie Fontes Rainer, stated “Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable…These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”
The big picture
According to the HHS’ report, there’s been a 256% increase in large hacking-related breaches reported to the OCR. Furthermore, there’s been a 264% increase in breaches related to ransomware.
For many healthcare organizations, it’s a challenging time to keep data safe and protected. Yet, it’s more important now than ever, as data breaches can have devastating financial and legal implications.
With cyberattacks on the rise, organizations should do everything in their power to keep data secure. That’s where Paubox comes in. With an intuitive, HIPAA compliant and HITRUST certified encrypted email suite, you can rest assured that your data is protected.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
