The U.S. Division of Well being and Human Providers Workplace for Civil Rights (OCR) has settled an investigation following a ransomware assault that affected the protected well being info of greater than 14,000 people. OCR famous that this marks the second settlement it has reached with a HIPAA-regulated entity for potential violations recognized throughout an investigation of a ransomware assault.
The settlement is with Inexperienced Ridge Behavioral Well being LLC, a Maryland-based observe that gives psychiatric evaluations, treatment administration, and psychotherapy.
In February 2019, Inexperienced Ridge Behavioral Well being filed a breach report with OCR stating that its community server had been contaminated with ransomware ensuing within the encryption of firm information and the digital well being information of all sufferers. OCR’s investigation discovered proof of potential violations of the HIPAA Privateness and Safety Guidelines main as much as and on the time of the breach.
Different findings included that Inexperienced Ridge Behavioral Well being did not:
• Have in place an correct and thru evaluation to find out the potential dangers and vulnerabilities to digital protected well being info;
• Implement safety measures to cut back dangers and vulnerabilities to an affordable and acceptable stage; and
• Have enough monitoring of its well being info methods’ exercise to guard towards a cyber-attack.
Underneath the phrases of the settlement, Inexperienced Ridge Behavioral Well being agreed to pay $40,000 and implement a corrective motion plan that can be monitored by OCR for 3 years. The plan identifies steps that Inexperienced Ridge Behavioral Well being will take to resolve potential violations of the HIPAA Privateness and Safety Guidelines and to guard digital protected well being info, together with:
• Conducting a complete and thorough evaluation of the potential dangers and vulnerabilities to the confidentiality, integrity, and availability of digital protected well being info;
• Designing a Threat Administration Plan to handle and mitigate safety dangers and vulnerabilities discovered within the Threat Evaluation;
• Reviewing, and as mandatory, growing, or revising its written insurance policies and procedures to adjust to the HIPAA Guidelines;
• Offering workforce coaching on HIPAA insurance policies and procedures;
• Conducting an audit of all third-party preparations to make sure acceptable enterprise affiliate agreements are in place, the place relevant; and
• Reporting to OCR when workforce members fail to adjust to HIPAA.
“Ransomware is rising to be probably the most frequent cyber-attacks and leaves sufferers extraordinarily weak,” stated OCR Director Melanie Fontes Rainer, in a press release. “These assaults trigger misery for sufferers who won’t have entry to their medical information, subsequently they might not be capable to take advantage of correct choices regarding their well being and well-being. Well being care suppliers want to know the seriousness of those assaults and should have practices in place to make sure sufferers’ protected well being info is just not subjected to cyber-attacks comparable to ransomware.”
Over the previous 5 years, there was a 256 p.c enhance in giant breaches reported to OCR involving hacking and a 264 p.c enhance in ransomware. In 2023, hacking accounted for 79 p.c of the massive breaches reported to OCR. The big breaches reported in 2023 affected over 134 million people, a 141 p.c enhance from 2022.