Ransomware Attack on Maryland Psychotherapy Provider Ended in HIPAA Penalty
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) resolved the supposed Health Insurance Portability and Accountability Act (HIPAA) violations with a behavioral medical care company in Maryland for $40,000. Green Ridge Behavioral Health, LLC (GRBH) located in Gaithersburg, MD offers psychiatric assessments, psychotherapy, and medication management. In February 2019, GRBH sent in a report to OCR regarding a compromise of the protected health information (PHI) of 14,000 patients. A threat actor viewed its systems and utilized ransomware to encrypt files. The investigation affirmed that the attacker stole data that contained sensitive patient details.
In December 2019, OCR began an investigation to determine if GRBH had followed the HIPAA Guidelines. GRBH could not give OCR any information that demonstrates it
- conducted a proper risk analysis to determine risks and threats to electronic protected health information (ePHI), as demanded by 45 C.F.R. § 164.308(a)(l)(ii)(A)
- implemented adequate security steps to lessen risks and vulnerabilities to ePHI to an acceptable and ideal level, as demanded by 45 C.F.R. § 164.308(a)(I)(ii)(B).
HIPAA-covered entities need to carry out policies and procedures for examining reports of activity in IT systems, for example, audit records, security incident monitoring reports, and access reports. Although guidelines and procedures were not carried out, as needed by 45 C.F.R. § 164.308(a)(l)(ii) (A). These compliance breakdowns led to impermissible exposure of patients’ ePHI (45 C.F.R. § 164.502(a)).
Aside from the financial penalty, GRBH needs to carry out a corrective action plan to handle all parts of non-compliance identified at the time of the investigation and OCR will keep an eye on GRBH for adherence to the 3-year corrective action plan. The corrective action plan involves the necessity to carry out a risk analysis, establish a risk management plan, take a look at present policies and protocols to ensure compliance with the HIPAA Regulations, give employees training on HIPAA guidelines, audit all third-party arrangements to make sure business associate agreements are available, and make certain that any HIPAA violations by employees are documented to OCR.
Ransomware is rising to be one of the most prevalent cyber-attacks and makes patients incredibly vulnerable. Ransomware attacks trigger problems for patients who won’t have access to their health files, consequently, they might make the most exact decisions relating to their overall health. Medical companies must fully grasp the significance of these attacks and need to have procedures in place to make certain patients’ PHI is not exposed to cyber-attacks like ransomware.
This is OCR’s second case of a ransomware attack that had a monetary fine issued for HIPAA Guidelines noncompliance and is one of several investigations that determined an inability to follow the risk analysis demand of the HIPAA Security Law. When a detailed company-wide risk analysis is not done, risks and vulnerabilities to the integrity, availability, and confidentiality of ePHI are possibly to continue. Eventually, malicious actors will discover and take advantage of the vulnerabilities.
The Office of the National Coordinator for Health Information Technology (ONC) together with OCR has made a Security Risk Assessment Software and has given guidelines on performing risk analyses, and the National Institute of Standards and Technology (NIST) has lately shared a final guideline on HIPAA Security Law execution, which consists of support on doing risk analyses.
Empress Ambulance Service Pays $1.05 Million to Resolves Class Action Lawsuit
Empress Ambulance Service, also called Empress EMS, an ambulance provider that services many places in New York, has proposed to pay $1.05 million to resolve claims it did not employ proper cybersecurity measures to secure the sensitive data of patients. In July 2022, Empress EMS encountered a Hive ransomware attack and had file encryption and theft of sensitive patient information. The Hive group publicized some information on its data leak site; nonetheless, Empress EMS settled the ransom, and the records were deleted from the leak website. The forensic investigation affirmed that the PHI of 318,558 individuals was breached in the attack.
Empress EMS faced several due to the data breach and offered a settlement to solve the claims without admitting any wrongdoing. Based on the conditions of the settlement, class members – persons who received advice from Empress EMS concerning the data breach – are qualified to send claims for approximately $10,000 for repayment of recorded expenses sustained because of the data breach, for instance, fraudulent expenses, tax and credit expenditures, professional costs, and identity theft compensation.
Additionally, class members can get a cash payment, which is going to be given pro rata after subtracting legal charges and claims taken from the negotiation funding. If the claims surpass the total settlement, they are going to be paid pro rata. There are going to be no cash payments. The arrangement likewise includes a year of identity theft protection and credit monitoring services with a $1 million identity theft insurance coverage. The due date to object to or exclude from the negotiation is March 8, 2024, qualified claims need to be filed by April 8, 2024, and the date of the final approval hearing is April 3, 2024.