The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Green Ridge Behavioral Health, LLC (GRBH), which is a Maryland-based practice providing psychiatric evaluations, medication management, and psychotherapy. The settlement relates to a ransomware attack on GRBH’s network server in early 2019 that affected protected health information of more than 14,000 people. GRBH filed a breach report with OCR in February 2019 stating that its network server was infected with ransomware resulting in encryption of its files and electronic health records of all its patients by a malicious actor. Further, investigation by OCR of the attack confirmed that the malicious actor stole files containing sensitive patient information.
OCR investigation into GRBH revealed deficiencies and vulnerabilities
In December 2019, OCR launched an investigation related to the GRBH ransomware attack to determine whether GRBH had complied with HIPAA Rules. During the investigation, GRBH was unable to provide OCR with evidence to prove GRBH had conducted an accurate risk analysis to identify risks and vulnerabilities to electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(l)(ii)(A). Further, the investigation revealed that sufficient security measures had not been implemented by GRBH to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, as required by 45 C.F.R. § 164.308(a)(I)(ii)(B). GRBH’s compliance failures resulted in impermissible disclosure of patients’ ePHI.
To resolve the investigation, the settlement with HHS OCR requires GRBH to pay $40,000 and implement a corrective action plan to be monitored by OCR for three years. The plan includes the following steps GRBH will take to resolve potential violations of HIPAA Privacy and Security Rules and to protect electronic health information:
- Conduct comprehensive and thorough analysis of potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI;
- Design risk management plan to address and mitigate security risks and vulnerabilities found in the risk analysis;
- Review and develop or revisit its written policies and procedures to comply with HIPAA;
- Provide workforce training on HIPAA policies and procedures;
- Audit all third-party arrangements to ensure appropriate business associate agreements are in place; and
- Report to OCR when workforce members fail to comply with HIPAA.
Ransomware attacks may affect patients’ ability to live long healthy lives
As explained by OCR Director, Melanie Fontes Rainer, ransomware attacks such as this cause distress for patients who are deprived of access to their medical records. According to HHS, because patients lose access to their medical records in this type of attack where files are encrypted by a malicious actor, the affected patients are unable to make informed decisions regarding their health and well-being. Ms. Fontes Rainer went on to explain that health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyberattacks such as ransomware.
This is the second OCR investigation of a ransomware attack resulting in a financial penalty for non-compliance with the HIPAA Rules and is one of many investigations that identified a failure to comply with the risk analysis provision of the HIPAA Security Rule. From the OCR view, lack of a comprehensive organization-wide risk analysis leaves organizations open to risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI which could result in exploitation of those vulnerabilities by malicious actors.