The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced the settlement of a case under HIPAA with Green Ridge Behavioral Health, LLC, a Maryland-based practice specializing in psychiatric evaluations, medication management, and psychotherapy. The settlement, announced on February 21, arose from a ransomware attack that impacted the protected health information of more than 14,000 individuals. This marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack investigation.
Ransomware is a form of malicious software specifically engineered to block access to user data, posing a mounting threat across various sectors, including healthcare. This type of malware operates by encrypting the targeted user’s data, rendering it inaccessible until a ransom is paid to the attacker. In the context of the healthcare sector, where the stakes are particularly high due to the sensitive nature of patient information, ransomware attacks can leave individuals exceptionally vulnerable. The attackers typically demand payment in cryptocurrency, providing the decryption key upon receipt of the ransom. The denial of access to important data, such as medical records, not only disrupts normal operations but also prevents patients’ ability to make informed decisions about their health.
Green Ridge Behavioral Health’s breach report to OCR in February 2019 detailed a ransomware infection on its network server, resulting in the encryption of company files and electronic health records. OCR’s subsequent investigation found evidence of potential violations of the HIPAA Privacy and Security Rules, including the absence of a thorough risk analysis, inadequate security measures, and insufficient monitoring of health information systems’ activity. Under the settlement terms, Green Ridge Behavioral Health agreed to pay $40,000 and implement a comprehensive corrective action plan monitored by OCR for three years. The corrective action plan outlines measures to address potential HIPAA violations and improve the protection of electronic protected health information. These include conducting a thorough risk analysis, developing a Risk Management Plan, revising policies and procedures to comply with HIPAA Rules, providing workforce training, auditing third-party arrangements, and reporting non-compliance incidents to OCR.
Ransomware and hacking continue to be primary cyber-threats in the healthcare sector. According to the Office for Civil Rights (OCR), there has been an increase in large breaches attributed to hacking and ransomware incidents in the healthcare sector over the past five years. Disturbingly, hacking accounted for a staggering 79% of large breaches reported in 2023, emphasizing the urgency of addressing these cyber threats effectively. In response to this escalating challenge, OCR advises healthcare entities covered by HIPAA to adopt a series of best practices. These include a meticulous review of vendor relationships, theimplementation of risk analysis into business processes, the implementation of robust audit controls, the adoption of multi-factor authentication to ensure authorized access to protected health information, and the provision of regular training sessions. These measures collectively aim to strengthen the resilience of healthcare organizations’ cybersecurity, emphasizing the value the workforce has in preserving the privacy and security of sensitive health data. In light of these recommendations and against the backdrop of rising cyber threats, healthcare professionals must prioritize the implementation of comprehensive cybersecurity strategies to safeguard patient information and maintain the integrity of healthcare systems.
“Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”