OCR settles its 2nd ransomware investigation, probably not the last

The watchdog agency has reached an agreement with a behavioral health practice for potential HIPAA Privacy and Security Rule violations leading up to and at the time of the 2019 breach.
By Andrea Fox
10:28 AM

Photo: Agnieszka Olek/Getty

Following an investigation into the breach of the protected health information of 14,000 individuals, the U.S. Health and Human Services and the Office of Civil Rights announced a $40,000 settlement with Green Ridge Behavioral Health, which provides psychiatric evaluations, medication management and psychotherapy.

WHY IT MATTERS

The Maryland-based practice reported in February 2019 that its network server had been infected with ransomware, resulting in the encryption of company files and the electronic health records of all patients, according to an OCR announcement on February 21.

According to the agency, its post-ransomware investigation also found that the behavioral health practice failed to accurately and thoroughly analyze the potential risks and vulnerabilities to electronically protected health information it held, implement security measures to reduce those vulnerabilities and sufficiently monitor health information systems’ activity to defend ePHI against a cyberattack.

Ransomware leaves patients exposed, stressed OCR Director Melanie Fontes Rainer in a statement about the settlement. 

"These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being," she said.

Under OCR's terms, Green Ridge Behavioral Health agreed to pay $40,000 and implement a corrective action plan that will be monitored for three years, the agency said. 

Previously in November, OCR settled its first ransomware breach investigation with Doctors’ Management Services, a third-party medical billing and payor credentialing service, over the theft of 206,695 individuals' protected data using GandCrab ransomware. 

THE LARGER TREND

With a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware over the past five years, the agency has been able to track the impact cyberattacks have on breached patient data.

In 2023, the largest breaches reported affected more than 134 million people, a 141% increase from 2022, the agency said. Hacking, however, accounted for 79% of the large breaches reported to OCR. 

Phishing, vishing, smishing and quishing are tactics hackers use to victimize healthcare organizations. 

By recognizing hacker motivations and understanding where they can attack, chief information officers can learn how to protect against social engineering attacks

Healthcare providers need to understand the particularities of their own organizations' security capabilities to know why they may be more likely to be targeted, and how the patient data they have might inspire hackers' motivations, as Kathleen Ann Mullin, CISO at MyCareGorithm, told us in 2021.

"Do they have a strong and mature information security program?" she asked. "Is the organization an industry leader? Do they have a large market share? What country or region are they in? Are their leaders active in the media? Or social media?

"Do they have famous, wealthy or other notable patients? Do they have research facilities? Do they do teaching or training? Have they had breaches in the past? Does their organization or [do their] employees post or share information about their systems or infrastructure? Are there disgruntled current or former employees? Are the vendors that provide or support their systems known?"

ON THE RECORD

"Healthcare providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyberattacks such as ransomware," said OCR's Fontes Rainer in announcing the new ransomware settlement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.