- The HHS announced its first settlement related to a healthcare ransomware attack on Monday with Massachusetts-based medical management company Doctors’ Management Services.
- Under the settlement, Doctors’ Management will pay $100,000 dollars and undergo a corrective action plan to resolve claims it violated HIPAA breach rules and failed to identify vulnerabilities in its systems before experiencing a breach in 2017 that impacted the private health information of 206,695 individuals.
- The HHS Office for Civil Rights called ransomware and hacking the “primary cyber-threats in health care” and warned that companies must take steps to identify and address cybersecurity vulnerabilities as attacks in the industry escalate.
Healthcare data breaches are on the rise as companies increasingly rely on electronic health records to store private health information and cyber criminals seize opportunities to exploit vulnerabilities.
Large breaches reported to the OCR have increased by 239% over the past four years, alongside a 278% increase in ransomware incidents, according to a press release. The scale of attacks is also increasing. Large attacks have impacted the records of 88 million individuals so far this year, up 60% from last year, according to the agency.
The Doctors’ Management breach first occurred in April 2017 and was identified in December 2018. The company reported the breach to OCR in April 2019, after determining their network had been infected with GandCrab ransomware.
In the settlement, the HHS alleged that Doctors’ Management failed to assess risks, monitor and protect health data from potential cyberattacks. To ensure compliance, the OCR placed the company on a corrective plan and will monitor the firm for three years.
As part of the corrective action plan, Doctors’ Management will be required to review and update its risk analysis to identify the potential risks and vulnerabilities to its data, update its enterprise-wide risk management plan accordingly and review its policies and procedures regarding compliance with HIPAA breach notice guidance. The company will also provide workforce training on HIPAA policies and procedures.
Recently, cyberattacks have affected major hospitals like HCA Healthcare and CommonSpirit Health. An attack targeting Prospect Medical Holdings this year cut access to key computer systems for weeks, forcing some hospitals to temporarily suspend patient services.
Attacks often prove costly. Last year, hospital operators said their most costly incident averaged $4.9 million in disruptions to system operations.