WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS) has announced a settlement with Maryland-based Green Ridge Behavioral Health, LLC. The agreement was reached after a ransomware attack on the health provider exposed the personal health information of over 14,000 patients. This marks the second such settlement that the Office for Civil Rights (OCR), the enforcing body for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has reached with a HIPAA-regulated entity following a ransomware attack.
Ransomware is a malicious software used by cybercriminals to encrypt data and deny users access until a ransom is paid. With the rise in these types of cyber-attacks, patients are left at risk as they cannot access their medical records, potentially hindering their healthcare decisions.
In February 2019, Green Ridge Behavioral Health reported a breach to OCR stating that its network server had been infected with ransomware. This resulted in the encryption of company files along with electronic health records of all patients. An investigation launched by OCR found potential violations of HIPAA Privacy and Security Rules leading up to the breach.
Findings of the investigation revealed that Green Ridge Behavioral Health failed to accurately analyze potential risks and vulnerabilities to electronic protected health information. The provider also did not implement adequate security measures to reduce these risks and vulnerabilities to a reasonable and appropriate level. Furthermore, Green Ridge Behavioral Health did not have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.
“Ransomware is becoming one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being.”
Under the terms of the settlement, Green Ridge Behavioral Health has agreed to pay $40,000 and implement a corrective action plan that will be monitored by OCR for three years. The plan outlines steps that Green Ridge Behavioral Health will take to resolve potential violations of the HIPAA Privacy and Security Rules and to protect electronic protected health information.
These steps include conducting a comprehensive analysis of potential risks and vulnerabilities to electronic protected health information, designing a Risk Management Plan to address and mitigate security risks, and reviewing and revising written policies and procedures to comply with HIPAA rules. Additionally, the plan calls for workforce training on HIPAA policies and procedures, an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, and reporting to OCR when workforce members fail to comply with HIPAA.
This settlement puts healthcare providers on notice of the importance of adhering to HIPAA regulations to protect patient data. Moreover, It is a stark reminder of the potential financial and reputational consequences of failing to implement adequate cybersecurity measures. As ransomware attacks continue to rise, healthcare providers must prioritize protecting the privacy and security of their patients’ health information.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and Microsoft Start.