Ransomware Attack on Maryland Psychotherapy Provider Results in HIPAA Penalty
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with a Maryland behavioral healthcare provider for $40,000. Green Ridge Behavioral Health, LLC (GRBH) is a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy. In February 2019, GRBH filed a report with OCR about a breach of the protected health information of 14,000 patients. A malicious actor had accessed its systems and used ransomware to encrypt files. The investigation confirmed that the threat actor stole files containing sensitive patient information.
In December 2019, OCR initiated an investigation to establish whether GRBH had complied with the HIPAA Rules. GRBH was unable to provide OCR with evidence to prove that an accurate risk analysis had been conducted to identify risks and vulnerabilities to electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(l)(ii)(A), and sufficient security measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, as required by 45 C.F.R. § 164.308(a)(I)(ii)(B).
HIPAA-regulated entities are required to implement policies and procedures for reviewing records of activity in information systems, such as audit logs, access reports, and security incident tracking reports, but policies and procedures had not been implemented, as required by 45 C.F.R. § 164.308(a)(l)(ii) (A). These compliance failures resulted in an impermissible disclosure of patients’ ePHI (45 C.F.R. § 164.502(a)).
In addition to the financial penalty, GRBH is required to implement a corrective action plan to address all areas of non-compliance discovered during the investigation and OCR will monitor GRBH for compliance with the corrective action plan for 3 years. The corrective action plan includes the requirement to conduct a risk analysis, develop a risk management plan, review existing policies and procedures to ensure compliance with the HIPAA Rules, provide workforce training on HIPAA policies, audit all third-party arrangements to ensure appropriate business associate agreements are in place, and ensure that any HIPAA violations by workforce members are reported to OCR.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”
This is the second OCR investigation of a ransomware attack that has resulted in a financial penalty for non-compliance with the HIPAA Rules and is one of many investigations that identified a failure to comply with the risk analysis provision of the HIPAA Security Rule. If a comprehensive organization-wide risk analysis is not conducted, risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI are likely to remain and it will only be a matter of time before they are found and exploited by malicious actors.
The Office of the National Coordinator for Health Information Technology (ONC) and OCR have developed a Security Risk Assessment Tool and have issued guidance on conducting risk analyses., and the National Institute of Standards and Technology (NIST) has recently published a final guide on HIPAA Security Rule implementation, which includes guidance on conducting risk analyses.