First HIPAA Settlement for Ransomware, Fine for Phishing
The Office for Civil Rights (OCR) achieved two firsts recently: a settlement agreement related to a ransomware attack on a business associate and the first fine issued for a phishing attack. Both cases hold lessons for other covered entities.
A medical management company filed a breach report with the Department of Health and Human Services (HHS) stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware in 2017. The company was unaware of the intrusion until Dec. 24, 2018, when ransomware was used to encrypt their files, HHS reported.
“OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization,” HHS noted. “Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyberattack and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.” The company agreed to pay $100,000 to OCR and to implement a corrective action plan. (The settlement details are available online at: https://bit.ly/3OoXxhP.)
HHS noted that in the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. In 2023, hacking accounted for 77% of the large breaches reported to OCR.
OCR also announced a settlement with a Louisiana medical group to resolve an investigation following a phishing attack in 2021. The breach affected the protected health information (PHI) of nearly 35,000 people. The settlement is the first involving a phishing attack under HIPAA.
The medical group’s breach report explained that a hacker used a phishing attack to gain access to an email account that contained electronic PHI (ePHI). OCR’s investigation revealed that the medical group failed to conduct a risk analysis as required by HIPAA. It also had no policies or procedures in place to regularly review information system activity to guard against cyberattacks. The medical group agreed to pay $480,000 and to implement a corrective action plan. (The settlement details are available online at: https://bit.ly/42gYBKd.)
Victims Still Have Obligations
The ransomware settlement shows that covered entities and business associates cannot depend on sympathy from OCR when a malicious actor instigated the breach, says Claire O’Brien, JD, an attorney with Brooks Pierce in Greensboro, NC.
“Being a victim is not an excuse for failure to fulfill your legal obligations. HIPAA-covered entities and business associates have an affirmative obligation to assess and mitigate risks, including the risks of cyberattack, whether it’s phishing, ransomware, or hacking,” O’Brien explains. “Of course, the type and level of risk and the nature of an appropriate preparation for that risk is going to vary from organization to organization. But security is not a set-it-and-forget-it issue.”
Organizations that maintain ePHI have to regularly assess their risk and document those assessments, which will be critical if there is a subsequent investigation by HHS, O’Brien says.
It is important not to assume that the ransomware risk is applicable only to large organizations. “We’re seeing it impact smaller organizations, too, so it doesn’t happen only to major healthcare systems. Everyone, even small providers, needs to be aware of the risk of cyber threats like ransomware hacking attacks because we’re seeing these happen regularly,” O’Brien says.
O’Brien suggests asking these questions about ePHI and cybersecurity:
- Does the office destroy ePHI that is no longer in use?
- Is there a backup plan or a process to create retrievable exact copies of ePHI?
- Does the organization use a system to assign each user a unique identifier that can be used to track activity within information systems that contain ePHI?
- Are automatic log-off capabilities in place to ensure unauthorized users cannot access data on unattended workstations?
- Is executive leadership or management involved in risk management and mitigation decisions?
- Are security processes communicated throughout the organization?
- Are there sanctions against workforce members who do not comply with security policies?
The ransomware settlement shows that HHS is starting to act against organizations for security breaches triggered by external bad actors, says Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix. The failure to detect the unauthorized access for more than 20 months likely played a significant part in OCR’s decision to pursue enforcement action against the management company in this case, she says.
“OCR clearly expects organizations subject to HIPAA to assess their systems proactively and identify and address vulnerabilities,” Dunlap says. “While these cyberattacks can be incredibly sophisticated and we may not know the attacker’s next move, a good risk analysis and risk management plan with an ongoing review of system activities are important and necessary steps to reduce the risk to your organization.”
In the phishing settlement, the key finding from OCR is that the medical group never conducted a risk analysis on its electronic patient data or implemented procedures to review system activity — both of which are required safeguards under the HIPAA Security Rule, Dunlap explains.
“While those actions may not have prevented the phishing attack — often caused by a workforce member opening emails impersonating a known or trustworthy source — OCR is clearly sending the message that these proactive steps reduce the chance that these types of cyberattacks will be successful,” Dunlap says. “They are taking enforcement action against organizations that do not take these steps, even when the breach itself is caused by an external bad actor. In this case, the best defense is a good offense.”
Dunlap advises being proactive about security measures, monitoring systems, and educating workforce members on phishing and other common cybersecurity attacks. Employees should know what to look for and how to respond when an email or sender “just doesn’t look right,” she says.
The Office for Civil Rights achieved two firsts recently: a settlement agreement related to a ransomware attack on a business associate and the first fine issued for a phishing attack. Both cases hold lessons for other covered entities.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.