HHS OCR Settles Second Ransomware Cyberattack

The U.S. Division of Well being and Human Companies (HHS), Workplace for Civil Rights (OCR), has introduced a settlement with Inexperienced Ridge Behavioral Well being, LLC, a Maryland-based psychiatric apply. This settlement, made below the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA), follows an investigation right into a ransomware attack that compromised the protected well being data of greater than 14,000 people.

Ransomware, malicious software program designed to dam entry to knowledge till a ransom is paid, has grow to be more and more prevalent, posing a major menace to patient privacy and healthcare providers’ operations.

HHS Second Settlement

This settlement represents the second occasion the place OCR has taken motion towards a HIPAA-regulated entity in response to a ransomware assault.

Earlier, in November 2023, HHS concluded an investigation into a 2018 data breach involving Docs’ Administration Companies, culminating in a settlement whereby they levied a penalty of US$100,000 to resolve the difficulty.

In accordance with OCR Director Melanie Fontes Rainer, ransomware assaults go away sufferers extraordinarily weak, depriving them of entry to their medical information and hindering knowledgeable decision-making about their well being.

The severity of those cyberattacks highlights the pressing want for healthcare suppliers to implement enhanced cybersecurity measures to safeguard sufferers’ protected well being data.

“These assaults trigger misery for sufferers who won’t have entry to their medical information, subsequently they might not be capable to take advantage of correct choices regarding their well being and well-being. Well being care suppliers want to grasp the seriousness of those assaults and will need to have practices in place to make sure sufferers’ protected well being data isn’t subjected to cyber-attacks reminiscent of ransomware,” said OCR Director Melanie Fontes Rainer in an official release.

Investigation Findings: HIPAA Violations

Inexperienced Ridge Behavioral Well being reported a breach to OCR in February 2019, disclosing that their community server had been contaminated with ransomware, inflicting the encryption of firm information and all sufferers’ digital well being information.

OCR’s subsequent investigation found potential violations of the HIPAA Privateness and Safety Rule. Amongst these outcomes, Inexperienced Ridge Behavioral Well being didn’t undertake an intensive investigation to establish potential dangers and vulnerabilities to electronically protected well being data.

Moreover, inadequate safety measures have been in place to scale back these dangers to an appropriate stage, and inadequate monitoring of well being data system exercise made them weak to cyberattacks.

As a part of the settlement, Inexperienced Ridge Behavioral Well being has agreed to pay US$40,000 and undertake a corrective motion plan overseen by OCR for 3 years.

Key parts of the corrective motion plan embrace conducting complete danger analyses, designing a danger administration plan, revising insurance policies and procedures to adjust to HIPAA Guidelines, offering workforce coaching, auditing third-party preparations, and reporting non-compliance to OCR.

The settlement with Inexperienced Ridge Behavioral Well being sheds mild on the escalating cyber threat posed by ransomware and hacking within the healthcare sector. Over the previous 5 years, there was a major enhance in giant breaches involving hacking and ransomware, with hacking alone accounting for 79% of enormous breaches reported to OCR in 2023.

Finest Practices: Mitigating Cyber Threats

To mitigate and stop cyber threats, OCR recommends a number of best practices for healthcare providers, well being plans, clearinghouses, and enterprise associates coated by HIPAA.

These embrace reviewing vendor relationships to make sure acceptable agreements are in place, integrating danger evaluation into enterprise processes, implementing audit controls, using multi-factor authentication, encrypting protected well being data, offering common training, and incorporating lessons learned from earlier incidents into safety administration processes.

The settlement with Inexperienced Ridge Behavioral Well being serves as a reminder of the essential significance of cybersecurity measures in defending affected person privateness and sustaining belief within the healthcare business.

Media Disclaimer: This report relies on inner and exterior analysis obtained via numerous means. The knowledge supplied is for reference functions solely, and customers bear full accountability for his or her reliance on it. The Cyber Express assumes no legal responsibility for the accuracy or penalties of utilizing this data.

Associated