The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has settled a ransomware cyber-attack investigation with Doctors’ Management Services, a Massachusetts medical management company. The $100,000 settlement resolves a breach report regarding a ransomware attack that affected the health information of over 200,000 individuals. Doctors’ Management Services will be monitored for three years and has agreed to pay the settlement amount and implement a corrective action plan to ensure compliance with HIPAA.
As part of the settlement, Doctors’ Management Services will review and update its Risk Analysis to identify potential risks and vulnerabilities to protect patient data. They will also update their Risk Management Plan to address and mitigate any security risks found. The company will review and revise its policies and procedures to comply with privacy and security rules and provide workforce training on HIPAA policies.
OCR recommends healthcare providers and organizations covered by HIPAA to take several best practices to mitigate or prevent cyber-threats. These include reviewing vendor and contractor relationships, integrating risk analysis and management into business processes, implementing audit controls and regular information system activity reviews, utilizing multi-factor authentication and encryption, and incorporating lessons learned from incidents into security management processes. OCR regularly provides guidance and support to the healthcare industry for data privacy and security.
OCR’s regional offices have conducted cybersecurity training to assist healthcare providers and organizations in complying with their cybersecurity obligations. This training has been provided to large hospitals, small medical providers, business associates, state health departments, and state social service agencies. The aim is to help them navigate the changing hostile threats and ensure compliance with cybersecurity requirements.