Key lessons emerge from a recent HIPAA settlement.

  • Even if you are a victim, a ransomware event may trigger a HIPAA investigation.
  • Strengthen cybersecurity to reduce risks to patient data and protect your company.

A medical management company in Massachusetts has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS) following a ransomware attack it experienced in April 2017. Doctors’ Management Services (DMS) is a business associate that provides medical billing and payer credentialing services for covered entities.

This is the first OCR HIPAA settlement involving ransomware as the triggering event.

The hackers stayed in DMS’ network undetected for more than 20 months until December 2018 when they encrypted the company’s files and demanded a ransom.

DMS filed a breach report with HHS four months later, noting that the hackers accessed 206,695 individuals’ information during the intrusion. However, HIPAA requires that large breaches be reported without unreasonable delay, and in no case later than 60 days after discovering the breach.

HIPAA Gaps and Missteps

HHS’ Office for Civil Rights (OCR) investigated and found that the company had failed to protect electronic protected health information (PHI), as required by HIPAA.

Investigators also found insufficient monitoring of the health information systems’ activity and a lack of policies and procedures to comply with the HIPAA Security Rule.

Action Steps to Full HIPAA Compliance

In addition to the $100,000 payment, DMS agreed to a corrective action plan (CAP) to ensure HIPAA compliance and better protect PHI.

The CAP lasts for three years and includes the following requirements:

  • Review and update the risk analysis to identify the potential risks and vulnerabilities to data.
  • Update the company’s enterprise-wide risk management plan to address any security risks and vulnerabilities found in the risk analysis.
  • Review and revise written HIPAA policies and procedures.
  • Provide each workforce member who has access to PHI with HIPAA training within 60 days and then every 12 months.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system. This leaves hospitals and their patients vulnerable to data and security breaches,” said HHS’ OCR Director Melanie Fontes Rainer.

OCR notes that ransomware has become one of the primary cyberthreats to healthcare.

  • Incidents involving hacking now account for 77% of all breaches reported to OCR.
  • Hacking has increased 60% over last year, and has affected more than 88 million individuals in 2023.
  • Ransomware via hacking has increased 278% over five years, from 2018 – 2022.

Lessons Learned for All Regulated Entities

OCR provided more general recommendations to all covered entities and business associates.

Among the recommendations are:

  • Conduct due diligence with third-party vendors and business associates.
  • Perform a risk analysis.
  • Follow a risk management plan.
  • Use multi-factor authentication to ensure only authorized users are accessing electronic PHI.
  • Use audit controls are to record and examine information system activity.
  • Encrypt electronic PHI to guard against unauthorized access.
Free HIPAA Checklist
What best describes you?