Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach

Massachusetts Management Firm to Pay $100,000, Monitor HIPAA Compliance for 3 Years

A Massachusetts-based medical management firm holds the dubious honor of being the first ransomware victim fined for a data breach by the Department of Health and Human Services.

Doctor Management Group agreed to a $100,000 financial settlement and three years of HIPAA compliance monitoring and corrective actions following an investigation into a 2019 ransomware breach affecting nearly 206,700 individuals.

The Department of Health and Human Services’ Office for Civil Rights said the settlement is the agency’s first HIPAA enforcement action in a case involving ransomware.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system,” said Melanie Fontes Rainer, HHS OCR director, in a statement. “This leaves hospitals and their patients vulnerable to data and security breaches,” she said.

“In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

Since 2019, HHS OCR said, it has seen a 239% increase in major health data breaches reported to the agency involving hacking and a 278% increase in incidents involving ransomware.

“This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” HHS OCR said.

HHS OCR’s investigation found several areas of potential HIPAA violations, including failure to conduct an accurate and thorough HIPAA security risk analysis; failure to implement procedures to regularly review records of information system activity, including audit logs, access reports and security incident tracking reports; and failure to implement reasonable and appropriate policies and procedures to comply with various other requirements of the HIPAA Security Rule.

The corrective actions Doctors Management Service must take include reviewing and updating its risk analysis to identify the potential risks and vulnerabilities affecting PHI, updating its enterprisewide risk management plan to mitigate any security risks and vulnerabilities found in the updated risk analysis, reviewing and revising its policies and procedures to comply with the HIPAA privacy and security rules, and providing workforce training on those policies and procedures.

Covered entities need to have an appropriate incident response plan for ransomware to guard against the implications for both privacy and business operations. If you have questions about IT security and the evolving threat landscape, call ITPAC today.