HHS Enters Into First-Ever Ransomware Resolution Agreement and Corrective Action Plan
The U.S. Department of Health and Human Services ("HHS") Office of Civil Rights ("OCR") has entered into its first settlement of potential Health Insurance Portability and Accountability Act ("HIPAA") violations arising out of a ransomware attack, signaling OCR's continued focus on data security.
On October 31, 2023, the OCR announced a first-of-its-kind ransomware agreement with Doctors' Management Services ("DMS"), a practice management company acting as a business associate to several covered entities, for alleged violations of HIPAA.
What Happened
In April 2019, OCR opened an investigation on a breach report from DMS stating that approximately 206,695 individuals were affected by a ransomware attack. While the initial unauthorized access to its network occurred on April 1, 2017, DMS did not detect this intrusion until December 24, 2018, after ransomware already had encrypted its files. Based on its investigation, OCR alleged that DMS failed to:
- Conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities associated with handling electronic protected health information ("ePHI") across the organization;
- Implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports; and
- Implement and maintain appropriate policies and procedures to comply with the HIPAA Security Rule.
The Resolution Agreement
The resolution agreement requires DMS to pay $100,000 and implement a three-year corrective action plan where DMS must, among other things:
- Update its risk analysis, subject to HHS approval;
- Develop a complete inventory of all its environments that contain or store ePHI;
- Update its enterprise-wide risk management plan;
- Revise its written policies and procedures, as indicated to be necessary by the risk analysis and approved by HHS;
- Provide workforce HIPAA training; and
- Provide HHS with annual training reports summarizing compliance.
The Big Picture
By entering into this first-of-its-kind resolution agreement, OCR is signaling its willingness to hold accountable victims of ransomware attacks if OCR finds the organization's non-compliance a contributing factor to the attack. Similarly, federal agencies are increasingly scrutinizing entities for violations relating to health information. In this year alone, the Federal Trade Commission brought its first enforcement actions for violations of the Health Breach Notification Rule, and HHS issued a report indicating that cybersecurity remains a top priority. Business associates, covered entities, and other businesses must continue to carefully implement appropriate controls to secure health information.