News > Cyber-Security > CS-General
by Kevin Wood

Massachusetts Medical Management Firm Fined $100K for Ransomware Data Breach, Marks First HIPAA Enforcement Action of its Kind

A medical management organization based in Massachusetts has had the dubious distinction of being the first entity to be penalized for a data breach resulting from a ransomware attack by the Department of Health and Human Services (HHS).

The organization in question, Doctor Management Group, has agreed to a financial settlement of $100,000, in addition to three years of monitoring to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). This decision was made following an investigation into a ransomware breach that was reported in 2019, affecting approximately 206,700 individuals.

On Tuesday, the Office for Civil Rights (OCR) within HHS announced that this settlement with the West Bridgewater, Massachusetts-based company marks the first time that HIPAA enforcement has been utilized in a case involving ransomware.

Melanie Fontes Rainer, Director of HHS OCR, stated that ransomware attacks are becoming increasingly prevalent and are targeting the healthcare industry, thereby leaving hospitals and their patients exposed to potential data and security breaches. She emphasized the importance of the healthcare system proactively identifying and addressing cybersecurity vulnerabilities, as well as regularly reviewing risks and updating policies.

Since 2019, HHS OCR has reported a 239% increase in significant health data breaches resulting from hacking, as well as a 278% increase in incidents involving ransomware. In 2023 alone, hacking accounted for 77% of the large breaches reported to OCR, affecting over 88 million individuals – a 60% increase from the previous year.

The $100,000 settlement with Doctor Management Service resolved the OCR’s investigation into an attack that utilized GandCrab ransomware, which the company reported in April 2019. The investigation revealed that unauthorized access to the company’s network had first occurred in April 2017, but it wasn’t until December 2018 that the intrusion was detected, following the use of ransomware to encrypt the company’s files.

The investigation identified several potential violations of HIPAA, including the failure to conduct a comprehensive HIPAA security risk analysis, the failure to implement procedures for regularly reviewing records of information system activity, and the failure to implement reasonable and appropriate policies and procedures in compliance with the HIPAA Security Rule.

As part of the resolution agreement with HHS OCR, Doctor Management Service will implement a corrective action plan and undergo three years of HIPAA compliance monitoring by the agency. The corrective actions include updating the company’s risk analysis and enterprise-wide risk management plan, reviewing and revising policies and procedures to comply with HIPAA privacy and security rules, and providing workforce training on these policies and procedures.

In a statement provided to Information Security Media Group, Doctors Management Service stated that it takes the federal government’s fine very seriously. The company emphasized that while no patient data was proven to have been taken or sold, it acknowledges the importance of safeguarding all healthcare information. To this end, it has enhanced its security measures, including moving Protected Health Information (PHI) to the cloud, and is actively working with regulators to ensure ongoing compliance. The company also stated that it did not pay the ransomware attacker and took immediate action to remove them from their systems. Other measures taken by the company include discontinuing VPN connections within the organization and upgrading all employee hardware to ensure the highest level of protection.

The breach affected approximately 40 clients, the majority of whom are healthcare practitioners in Massachusetts, spanning various specialties. Over the past five years, the company has proactively collaborated with specialized legal and forensic IT experts, as well as its compliance vendor, to continuously enhance its security protocols.

This settlement with Doctors Management Service is the ninth HIPAA enforcement action announced by HHS OCR in 2023. The largest penalty so far this year was a $240,000 settlement in June with Yakima Valley Memorial Hospital in Washington state, following a breach reported in 2018 that involved 23 security guards who inappropriately accessed the records of 419 patients.

Privacy attorney Kirk Nahra of the law firm WilmerHale commented that while this enforcement case was prompted by a ransomware attack, the ultimate findings do not appear to be specific to ransomware. He noted that these are the same types of alleged security failures that OCR has pursued in other situations for many years. Nahra emphasized the importance of having an appropriate incident response plan for ransomware, given its potential implications for both privacy and business operations. He also stressed the necessity of having comprehensive risk assessment and risk management activities to address any potential security incident, whether it involves ransomware or not. He hopes that OCR will continue to be reasonable in its approach to how companies handle their security operations and will avoid a “blame the victim” stance, provided companies have implemented reasonable and appropriate security procedures in good faith.