The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently entered into a first of its kind resolution agreement and corrective action plan to settle potential HIPAA violations arising out of a ransomware attack. The agreement to settle alleged HIPAA violations was entered into with Doctors’ Management Services (DMS), a practice management company acting as a business associate to several covered entities.
By way of background, in April 2019, OCR opened an investigation based on a breach report from DMS. The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with ransomware. The initial unauthorized access to the network occurred several years prior. However, DMS did not detect the intrusion until late 2018 after ransomware was used to encrypt their files. Based on its investigation, OCR alleged that:
- DMS failed to conduct an accurate and thorough risk analysis that assessed technical, physical, and environmental risks and vulnerabilities associated with handling electronic patient health information (ePHI);