On Oct. 31, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced it had settled with Doctors’ Management Services Inc. (DMS) over a self-reported ransomware attack that occurred in 2017. According to the OCR’s press release, this marks the first time OCR has reached a settlement following a reported breach resulting from a ransomware attack.
Entities subject to the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA), should view this as a signal of OCR’s intent to ensure covered entities and business associates are prepared to address cybersecurity vulnerabilities and are proactive in reviewing for and addressing potential risks.
The Reported Conduct and Settlement
DMS is a practice management company that acts as a business associate to covered entities. At the end of 2018, DMS discovered that attackers had infected the company’s servers with GandCrab ransomware, a type of encryption ransomware that locks files until the victim of the attack pays a ransom. DMS reported that, though the attacker did not activate the ransomware until 2018, it had gained access to DMS’ systems in April 2017. The breach affected the protected health information (PHI) of approximately 206,695 individuals.
In its subsequent investigation, OCR found three key areas where DMS had failed to meet standards imposed by the HIPAA Security Rule:
- DMS did not conduct an accurate and thorough enterprisewide risk analysis to assess the technical, physical and environmental risks associated with handling electronic PHI.
- DMS did not implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
- DMS did not implement appropriate policies and procedures to comply with the standards and implementation specifications the Security Rule requires.
As part of the settlement, DMS agreed to pay $100,000, without admitting liability, and be bound by a corrective action plan (CAP).
Corrective Action Plan
For the next three years, OCR will require DMS to implement several corrective actions, including commencing a comprehensive security risk analysis. The CAP requires DMS to take an inventory of all its facilities, equipment and systems — anything that contains electronic PHI — and to update its risk analysis accordingly. DMS then must update its risk management plan to address any security risks found after the risk analysis, which OCR must approve.
The CAP requires DMS to update its policies and procedures to comply with federal security standards. At a minimum, DMS must revise its policies and procedures to include an information system activity review, which must be expansive enough to review access to local devices and ensure DMS’ external firewall is updated. The CAP requires DMS to implement procedures for security awareness and training. As DMS implements and trains its employees, it is obligated to continue to report to OCR and, should DMS breach the CAP, OCR may levy further civil monetary penalties.
Implications
With the settlement announcement coming on the heels of October, Cybersecurity Awareness Month, OCR is signaling that it will hold covered entities and business associates accountable for ransomware breaches to the extent covered entities and business associates have not taken necessary precautions to identify and address potential risks. In its press release, OCR stated that data breaches have increased by 239%, with a 278% increase in ransomware attacks in the past four years. In 2023, to date, hacking has accounted for 77% of the large breaches reported to OCR. These breaches have affected approximately 88 million individuals, amounting to a 60% increase from last year.
All covered entities and business associates subject to HIPAA should have appropriate security measures in place to prevent ransomware attacks. This includes undertaking a comprehensive risk analysis to identify potential vulnerabilities and implementing measures to address such vulnerabilities. Covered entities and business associates should make sure their HIPAA policies and procedures are fully compliant to ensure that, if a ransomware attack does occur, OCR will not be able to identify noncompliant HIPAA policies and procedures as an issue in any ensuing investigation.
McGuireWoods has extensive experience advising clients on HIPAA compliance. For additional information on the data privacy and security obligations of covered entities and business associates under HIPAA, see McGuireWoods’ previous alerts or contact one of the authors.