The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.
Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.
OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”
The Breach
In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:
- No complete risk analysis of electronic PHI.
- No effective security measures to reduce risks.
- No sufficient monitoring of system activity.
Settlement Terms
Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:
- Conduct a full risk analysis.
- Create a risk management plan.
- Update policies and procedures.
- Train its workforce on HIPAA.
- Audit third-party vendors and ensure business associate agreements.
- Report workforce HIPAA violations to OCR.
Recommendations
Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.
OCR recommends providers and business associates:
- Regularly perform risk analysis and risk management.
- Monitor and audit system activity.
- Use multi-factor authentication and encryption.
- Ensure strong vendor agreements.
- Provide frequent, role-specific workforce training.
- Apply lessons from past incidents.