OCR Settles with Business Associate in Attack Affecting Over 200,000 Individuals

In a landmark development during Cybersecurity Awareness Month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a significant settlement under the Health Insurance Portability and Accountability Act (HIPAA). Doctors’ Management Services, a Massachusetts-based medical management company, has agreed to a $100,000 settlement following a ransomware attack that compromised the electronic protected health information (ePHI) of over 200,000 individuals. This settlement, a first-of-its-kind involving ransomware, underscores the growing threat cyberattacks pose to the healthcare industry.

Ransomware: A Looming Threat to Healthcare

Ransomware, a type of malicious software, is designed to deny access to a user’s data by encrypting it, making it inaccessible until a ransom is paid to the attacker. This breach report marks a significant moment for OCR as it’s the first settlement related to a ransomware incident. The attack on Doctors’ Management Services serves as a stark reminder of the evolving and persistent challenges that the healthcare sector faces concerning cybersecurity.

Alarming Trends in Cybersecurity

In recent years, hacking and ransomware attacks have become the primary cyber threats in the healthcare industry. According to OCR, there has been a 239% increase in large breaches involving hacking over the past four years, accompanied by a staggering 278% increase in ransomware incidents. The trend continues into 2023, with hacking accounting for a significant 77% of large breaches reported to OCR. Alarmingly, these large breaches have affected over 88 million individuals, signifying a 60% increase from the previous year.

The OCR Director’s Perspective

OCR Director Melanie Fontes Rainer emphasized the importance of addressing these cybersecurity vulnerabilities proactively. She stated, “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches. In this ever-evolving space, it is critical that our health care system takes steps to identify and address cybersecurity vulnerabilities, regularly review risks, records, and update policies.”

The Breach Incident: A Wake-Up Call

The breach incident that led to the settlement occurred when Doctors’ Management Services reported an unauthorized intrusion on their network server in April 2017. However, they didn’t detect the intrusion until December 2018 when ransomware encrypted their files. This unfortunate delay in identifying the breach highlights the critical need for proactive cybersecurity measures and rapid response protocols within the healthcare industry.

OCR’s Investigation Findings

OCR’s investigation uncovered several potential failures by Doctors’ Management Services, including:

  1. Lack of an adequate analysis to determine risks and vulnerabilities to ePHI across the organization.
  2. Insufficient monitoring of health information systems’ activity to protect against cyberattacks.
  3. A deficiency of policies and procedures to implement the requirements of the HIPAA Security Rule, which safeguards the confidentiality, integrity, and availability of ePHI.

Terms of the Settlement Agreement

Under the terms of the settlement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay a $100,000 penalty and to implement a corrective action plan, including:

  1. Updating their Risk Analysis to identify potential risks and vulnerabilities.
  2. Enhancing their enterprise-wide Risk Management Plan to mitigate security risks.
  3. Reviewing and revising policies and procedures to comply with HIPAA rules.
  4. Providing workforce training on HIPAA policies and procedures.

Best Practices for Mitigating Cyber Threats

To mitigate or prevent cyber threats, OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA consider the following best practices:

  1. Ensure vendor and contractor relationships have appropriate business associate agreements in place that address breach and security incident obligations.
  2. Integrate risk analysis and risk management into business processes, conducting regular assessments and planning for new technologies and operations.
  3. Implement audit controls to record and examine information system activity.
  4. Regularly review information system activity.
  5. Utilize multi-factor authentication to enhance user access security.
  6. Encrypt ePHI to guard against unauthorized access.
  7. Incorporate lessons learned from security incidents into the overall security management process.
  8. Provide organization-specific and role-based training to reinforce the critical role of every team member in protecting privacy and security.

In an era where cyber threats to healthcare organizations continue to evolve and increase, this settlement serves as a stark reminder of the importance of robust cybersecurity practices and preparedness within the industry. Healthcare entities must remain vigilant and proactive in safeguarding the privacy and security of patient data.