HHS Announces First HIPAA Settlement Agreement Involving Ransomware Attack

6 months ago AndyC

Listen to this post

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a

HHS Announces First HIPAA Settlement Agreement Involving Ransomware Attack
Listen to this post

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

On April 22, 2019, HHS began investigating DMS after receiving a breach notification indicating that DMS’ network server was infected by the Gandcrab ransomware in April 2017. DMS did not detect the attack until after the ransomware was used to encrypt its files in December 2018. As a result, the electronic protected health information (“ePHI”) of approximately 206,695 individuals was affected. HHS alleged that DMS violated the HIPAA Security Rules by failing to (1) perform an accurate and thorough risk analysis of the technical, physical and environmental risks and vulnerabilities related to ePHI; (2) implement adequate procedures to review records of information system activity on a regular basis; and (3) implement policies and procedures to comply with the HIPAA Rules. 

Under the settlement agreement, DMS must pay $100,000 to resolve the action and comply with a three-year corrective action plan, which includes:

  • Performing a risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in DMS’ possession;
  • Developing a complete inventory of all electronic equipment, data systems, facilities and applications that contain or store ePHI;
  • Providing HHS with documentation regarding its existing security measures, including its network segmentation and infrastructure, vulnerability scanning, logging and alerts and patch management;
  • Creating and adopting an enterprise-wide risk management plan;
  • Revising its HIPAA policies and procedures and submitting the revisions to HHS for approval; and
  • Updating DMS’ HIPAA training program, which includes revising its existing training materials, submitting the updated training materials to HHS for approval, providing training to workforce members who have access to PHI in a timely manner and obtaining certification from each employee stating the employee received such HIPAA training.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

UK ICO and Ofcom Joint Statement on Regulation of Online Services

UK ICO and Ofcom Joint Statement on Regulation of Online Services

3 days ago AndyC
HHS Extends Protections for Reproductive Privacy Under HIPAA

HHS Extends Protections for Reproductive Privacy Under HIPAA

4 days ago AndyC
Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

5 days ago AndyC
CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

1 week ago AndyC
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

1 week ago AndyC
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

2 weeks ago AndyC

You may have missed

Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

6 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

Your Google Account allows you to create passkeys on your phone, computer and security keys

6 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

Detecting browser data theft using Windows Event Logs

6 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

How we fought bad apps and bad actors in 2023

6 hours ago AndyC
Accelerating incident response using generative AI

Accelerating incident response using generative AI

6 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.