On October 31, 2023, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into its first HIPAA settlement involving a ransomware attack. OCR reached a settlement with Doctors’ Management Services (DMS) to resolve a breach report following a ransomware attack that affected over 206,000 individuals’ protected health information (PHI). The Massachusetts medical management company, a business associate to HIPAA covered entities, provides services such as billing and payor credentials.
In April 2019, DMS filed a breach report to notify HHS that at least 206,000 individuals had their PHI affected when its network was infected with GandCrab ransomware. Hackers use ransomware to deny access to user data by using an encryption method whereby only the hacker has the key. Typically, the hacker keeps the data encrypted until a ransom is paid. The attackers gained unauthorized access to the DMS network on April 1, 2017; however, the unauthorized access was not detected by DMS until December 24, 2018, when the ransomware was deployed.
After receipt of DMS’ report of a breach affecting 500 or more individuals, OCR launched an investigation per its standard process. The investigation revealed evidence of potential failures by DMS, including the failure to conduct an analysis of potential risks and vulnerabilities to electronic PHI (ePHI). OCR also found a lack of HIPAA policies and procedures and insufficient monitoring of organizational systems to prevent against cyberattacks.
In addition to being the first ransomware settlement ever by OCR, this enforcement action is notable due to the three-year corrective action plan (CAP) agreed to as part of the resolution agreement between OCR and DMS. The vast majority of CAPs included with prior enforcement actions end after two years. DMS also agreed to a monetary settlement of $100,000.
With healthcare data breaches on the rise, OCR’s first ransomware enforcement action emphasizes the importance of conducting a proper risk analysis of potential vulnerabilities to the confidentiality of ePHI. Beyond this enterprise-wide analysis, HIPAA-regulated entities should ensure that they are taking proper measures to monitor systems for impermissible access. In its release describing the settlement with DMS, OCR recommends best practices, including the utilization of multi-factor authentication to ensure only authorized users are accessing an organization’s ePHI, encrypting ePHI to guard against unauthorized access to ePHI, and conducting organization- and role-specific training to ensure security of ePHI.