Business Associate Victim of Ransomware Attack Pays $100,000 to HHS OCR | Brooks Pierce

Is your organization a business associate? You could be subject to enforcement action if you fail to protect health information within your control from ransomware attacks.  

In October, for the first time, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement agreement with a Health Insurance Portability and Accountability Act (HIPAA) business associate that was the victim of a ransomware attack. The business associate paid $100,000 to resolve allegations that it had failed to sufficiently protect the privacy and security of health information within its control.

Doctors’ Management Services (DMS), a medical practice management company that provides services such as medical billing and payor credentialing, acts as a business associate to several covered entities. On April 22, 2019, DMS informed HHS that DMS’s network server had been infected with GandCrab ransomware, affecting the electronic protected health information (e-PHI) of approximately 200,000 individuals. Although the initial intrusion occurred on April 1, 2017, DMS apparently did not detect the intrusion until December of the following year, when the ransomware was used to encrypt DMS’s files.

OCR’s investigation found evidence that DMS had failed to appropriately monitor its health information systems’ activity (for example, through audit logs, access reports and security incident tracking reports) and had failed to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule.

Under the settlement agreement, DMS agreed to pay $100,000 and to submit to a Corrective Action Plan under which DMS must update its Risk Analysis regarding the potential risks to the confidentiality, integrity and availability of e-PHI held by DMS, and provide documentation supporting a review of its current security measures and the level of risk to its e-PHI associated with network segmentation, network infrastructure, vulnerability scanning, logging and alerts and patch management. DMS must also provide workforce HIPAA training (among other things). OCR will monitor DMS for three years to ensure compliance.

In a press release