The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Doctors’ Management Services Settles OCR HIPAA Probe for $100,000

Posted By on Oct 31, 2023

The HHS’ Office for Civil (OCR) has agreed to a $100,000 settlement with Doctors’ Management Services to resolve an investigation of a ransomware attack and data breach that uncovered multiple potential violations of the HIPAA Security Rule.

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS identified an intrusion on December 24, 2018, when GandCrab ransomware was used to encrypt files on its network. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017.

According to DMS, the threat actor gained access to its network via Remote Desktop Protocol (RDP) on one of its workstations and potentially obtained names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and diagnostic information. The breach was reported to OCR on April 22, 2019, as affecting up to 206,695 individuals.

OCR opened an investigation of the breach to determine whether DMS had complied with the HIPAA Rules and uncovered multiple potential violations of the HIPAA Rules. In addition to the impermissible disclosure of the protected health information of 206,695 individuals, OCR determined that DMS had failed to conduct an accurate and thorough risk analysis to assess technical, physical, and environmental risks and vulnerabilities associated with the handling of ePHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

DMS was also found to have failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR also determined that DMS had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

DMS agreed to settle the investigation with no admission of liability. Under the terms of the settlement, DMS has agreed to pay a $100,000 financial penalty and implement a corrective action plan (CAP) to resolve the potential HIPAA violations identified by OCR. The CAP includes requirements to update its risk analysis, risk management program, HIPAA Privacy and Security Rule policies and procedures, and workforce HIPAA training. In its settlement announcement, OCR also recommended several cybersecurity best practices that all HIPAA-regulated entities should implement to prevent and mitigate cyber threats.

OCR said this is the first HIPAA settlement agreement it has reached in response to a ransomware attack. Given the number of ransomware attacks in the past five years, which have increased by 278% since 2018, it is likely to be the first of many. “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

October is Cybersecurity Awareness Month, and in recognition, OCR released a cybersecurity video that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against cyberattacks and block the most common attack vectors. CISA and the HHS have also recently released a cybersecurity toolkit, which includes key cybersecurity tools, training material, and other resources for strengthening security posture and keeping up to date on the latest threats. This month, CISA released a log management tool to help under-resourced organizations reduce their log management burden and search for signs of compromise, and CISA, the NSA, FBI, and MS-ISAC have issued joint guidance on blocking phishing.

It has never been more important to ensure appropriate cybersecurity measures are in place, given the 239% increase in data breaches due to hacking in the past 4 years and the extent to which healthcare records are now being breached. Breached records are up 60% on last year and, at the time of writing, 88 million healthcare records are known to have been breached so far in 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist