Medical Management Firm Pays $100,000 Settlement over Ransomware Data Breach
- November 03, 2023
Massachusetts-based Doctors’ Management Services will pay $100,000 to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) in connection with an April 2017 ransomware attack that compromised the electronic protected health information (ePHI) of roughly 206,695 individuals, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced October 31.
The company, which provides services including medical billing and payer credentialing, failed to detect the unauthorized access to its network until December 2018, when the GandCrab ransomware was used to encrypt its files, OCR said. Doctors’ Management reported the data breach to HHS in April 2019.
OCR’s investigation found potential failures to analyze risk and vulnerabilities to ePHI across the organization, to adequately monitor health information system activity, and to have in place HIPAA-required policies and procedures to protect ePHI.
The settlement is the first-ever that OCR has reached involving ransomware, the agency said.
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
OCR said its investigation found evidence the company potentially violated HIPAA by not having required procedures and systems in place to guard against and mitigate cyberattacks.
As part of the settlement, Doctors’ Management will implement a corrective action plan and be subject to three years of OCR monitoring.
The corrective action plan requires Doctors’ Management to review and update its risk analysis of potential threats to ePHI, update its enterprise-wide risk management plan for addressing those threats, review and revise written policies and procedures, and provide workforce training on HIPAA requirements.