The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released its third ransomware-related settlement agreement in less than a year. Below we summarize each of the settlements – including details of the ransomware attack, the number of patients affected, OCR’s investigation findings and corrective action activities – followed by several key takeaways.

What is Ransomware?

Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. These malicious attacks are extremely dangerous because they may impact patient care, disrupt operations, and jeopardize patient data.  In 2016, OCR issued its “FACT SHEET: Ransomware and HIPAA” to provide covered entities and business associates with guidance on responding to ransomware attacks, including the breach-reporting requirements.

Settlement 1: Doctors’ Management Services

• Background: Doctors’ Management Services (DMS) is a Massachusetts-based medical management company that serves as a business associate.  The incident timeline includes:
  • April 1, 2017 Initial unauthorized access to the network.
  • December 24, 2018: Ransomware attack encrypted files.
  • April 22, 2019: Breach reported to OCR. OCR initiated investigation.
  • December 24, 2018: Settlement announced.

• Number of Patients Affected: 206,695

• Investigation Findings: OCR’s investigation found evidence that indicated DMS potentially violated the following HIPAA provisions:

• • Requirement to conduct an accurate and thorough risk analysis;
  • Requirement to implement procedures to regularly review records of information system activity; and
  • Requirement to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

• Corrective Actions: Under the settlement agreement, DMS paid a financial settlement of $100,000 and agreed to a three-year corrective action plan that requires DMS to:
  • Review and update its Security Risk Analysis and update its enterprise-wide Risk Management Plan.
  • Review and revise its Security Rule policies and procedures and distribute them to all members of its workforce who use or disclose ePHI, including new members of the workforce.
  • Train its workforce members; require a compliance certification from all workforce members; and submit a written “Training Report” to OCR.

Settlement 2: Green Ridge Behavioral Health, LLC

• Background: Green Ridge Behavioral Health, LLC (GRBH) is a multidisciplinary group practice that provides comprehensive outpatient mental health services to the Washington, D.C. Metropolitan area.  According to information from OCR, GRBH’s network server was infected with ransomware resulting in the encryption of company files and the electronic health records of all patients. The timeline includes:
  • February 11, 2019: Breach reported to OCR.
  • December 12, 2019: OCR initiated its investigation.
  • February 21, 2024: Settlement announced.

• Number of Patients Affected: 14,000

• Investigation Findings: OCR’s investigation found evidence that indicated GRBH potentially violated the following HIPAA provisions:

• • Requirement to conduct an accurate and thorough security risk analysis;
  • Requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level;
  • Requirement to implement policies and procedures to regularly review records of information system activity; and
  • Requirement to not impermissibly use or disclose PHI.

• Corrective Action: Under the settlement agreement, GRBH paid a financial settlement of $40,000 and agreed to a three-year corrective action plan that requires GRBH to:
  • Conduct a comprehensive and thorough Security Risk Analysis and develop an enterprise-wide Risk Management Plan.
  • Review, develop and revise its Privacy and Security Rule policies and procedures and distribute them to all members of the workforce and all business associates.  Require a compliance certification from all workforce members and business associates that they have read, understand, and shall abide by the policies and procedures.
  • Train its workforce members who have access to PHI at least annually, including each new member of the workforce or business associate. Require a compliance certification from all workforce members certifying they received the training.
  • Review its relationships with vendors and third-party service providers to identify business associates and provide OCR with information on business associates, as well as copies of the business associate agreements.

Settlement 3: Heritage Valley Health System

• Background: Heritage Valley Health System (HVHS) is an integrated delivery network serving patients in Pennsylvania, Ohio and West Virginia. According to Government Technology, the attack by malware dubbed NotPetya began in July 2017 and soon infected the entire health system, including satellite offices, although the exact number of patients affected is not available.  The timeline includes:
  • October 31, 2017: OCR initiated a compliance review following media reports that Heritage Valley experienced a data security incident.
  • July 1, 2024: Settlement announced.

• Number of Patients Affected: Not reported.

• OCR’s Investigation Findings: OCR’s investigation found evidence that indicated HVHS potentially violated the following HIPAA provisions:

• • Requirement to conduct an accurate and thorough security risk analysis;
  • Requirement to establish and implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI; and
  • Requirement to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

• Corrective Actions: Under the settlement agreement, HVHS paid a financial settlement of $950,000 and agreed to a three-year corrective action plan that requires HVHS to:
  • Conduct a comprehensive and thorough Security Risk Analysis and develop an enterprise-wide Risk Management Plan.
  • Review and develop, maintain and revise its Security Rule policies and distribute the policies and procedures to all members of the workforce and all business associates that have access to PHI. Provide proof of distribution and/or posting of policies and procedures.
  • Train workforce members who have access to PHI at least annually. Require a compliance certification from all workforce members certifying they received training.

Key Takeaways

• While most reported HIPAA breaches do not result in settlement agreements, OCR investigates every breach affecting 500 or more individuals. In calendar year 2022, OCR received 626 notifications of breaches affecting 500 or more individuals.[1] OCR investigated all 626 reported breaches, with 3 breach investigations resulting in resolution agreements, corrective action plans and monetary payments. Other breach investigations were resolved through technical assistance, voluntary compliance through corrective action, resolution agreements and corrective action plans (CAPs).  After reporting a breach, health centers should focus on developing their HIPAA compliance programs by adopting applicable activities from the above corrective action plans to demonstrate to OCR their commitment to corrective action.
• For reported HIPAA breaches that do result in settlements, the process takes years. The three ransomware-related settlements took 4-7 years from the date the breach was reported until the settlement was announced. According to OCR, over the past five years, there has been a 264% increase in ransomware reported to OCR.[2] Given these increases, we expect additional ransomware-related settlements and CAPs.
• Every CAP includes security management, policies and procedures, and training. While there were different requirements for each entity (g., different deadlines for completing the security risk analyses, compliance certification requirements, etc.), each CAP required the entities to focus on security risk analysis and management plans, revising and distributing policies and procedures, and training workforce members.
• Every CAP is scheduled to last three years. While recent settlement agreements included corrective action plans lasting 1-2 years, it is notable that each ransomware-related settlement included a 3-year CAP during which the entity must report workforce members (and business associates, if applicable) who fail to comply with the entity’s policies and procedures and submit implementation and annual reports.

If you have questions about the OCR ransomware-related settlements or cybersecurity measures in your health center, please contact Dianne Pledgie.

[1] Annual Report to Congress on Breaches of Unsecured Protected Health Information for CY2022: https://www.hhs.gov/sites/default/files/breach-report-to-congress-2022.pdf.

[2] https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html.