HHS OCR Announces First Ransomware Resolution Agreement and Corrective Action Plan
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently entered into a first of its kind resolution agreement and corrective action plan to settle potential HIPAA violations arising out of a ransomware attack. The agreement to settle alleged HIPAA violations was entered into with Doctors’ Management Services (DMS), a practice management company acting as a business associate to several covered entities.
By way of background, in April 2019, OCR opened an investigation based on a breach report from DMS. The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with ransomware. The initial unauthorized access to the network occurred several years prior. However, DMS did not detect the intrusion until late 2018 after ransomware was used to encrypt their files. Based on its investigation, OCR alleged that:
- DMS failed to conduct an accurate and thorough risk analysis that assessed technical, physical, and environmental risks and vulnerabilities associated with handling electronic patient health information (ePHI);
- DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and
- DMS failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule.
Under the resolution agreement, DMS must pay $100,000 to HHS and implement a three-year corrective action plan. Under the plan, DMS must, among other obligations:
- Update its risk analysis, subject to HHS approval;
- Develop a complete inventory of all its environments that contain or store ePHI;
- Update its enterprise-wide risk management plan;
- Revise its written policies and procedures, as indicated to be necessary by the risk analysis and approved by HHS;
- Provide workforce HIPAA training; and
- Provide HHS with annual training reports summarizing compliance.
By entering into its first-ever ransomware resolution agreement and corrective action plan, HHS has signaled its continued focus on data security. In particular, it appears that HHS is willing to hold accountable victims of ransomware attacks if it is discovered that a provider’s or entity’s alleged non-compliance contributed to the attack. Healthcare providers that handle ePHI should take precautions to strengthen their cybersecurity controls and implement the necessary safeguards and procedures to detect and prevent cyberattacks.
For over 35 years, Wachler & Associates has represented healthcare providers and suppliers nationwide in a variety of health law matters, and our attorneys can assist providers and suppliers in understanding new developments in healthcare law and regulation. If you or your healthcare entity has any questions pertaining to healthcare compliance, please contact an experienced healthcare attorney at 248-544-0888 or wapc@wachler.com.