HIPAA Business Associate Settles Breach Agreement with OCR over Ransomware Attack

The Health and Human Services’ Office for Civil Rights (OCR) has issued its first settlement agreement involving a ransomware attack with a Massachusetts-based medical management company (and HIPAA business associate (BA)) to resolve an investigation of a data breach that uncovered multiple potential violations of the HIPAA Security Rule. The agreement requires the BA to pay $100,000 to settle the associated civil monetary penalty, as well as comply with the performance of a three-year corrective action plan (CAP).

Employer Action Items

According to OCR, in the past five years, the number of ransomware attacks has increased by a staggering 278%. Employers should ensure they are compliant with the HIPAA Security Rule to assist them in their efforts to ward off these ruthless attacks. Organizations should take steps to identify and address cybersecurity vulnerabilities on an ongoing basis. In particular, employers should:

• Review processes and procedures related to the administration and governance of HIPAA BAs;
• Appropriately analyze associated risks;
• Where needed or overlooked, implement appropriate administrative, physical, and technical safeguards; and
• Educate their workforce on the importance of HIPAA and the risks of noncompliance.

Employers needing guidance should reach out to their broker/consultant or to OCR to discuss the required performance of HIPAA’s suite of administrative simplification tasks.

Summary 

HHS began their investigation in 2019 after receiving a breach notification that approximately 206,695 individuals were affected when Doctors’ Management Services’ (DMS) network server was infected with GandCrab ransomware. The initial intrusion happened on April 1, 2017, and was not detected until December 24, 2018. OCR’s investigation found that DMS failed to:

• Have a proper analysis in place to determine potential risks and vulnerabilities; and
• Have policies and procedures in place to assure compliance respecting the HIPAA Privacy and Security Rules.

In addition to the $100,00 fine, DMS must:

• Review and revise its Security Risk Analysis to identify the potential risks and vulnerabilities to its data for protection of the confidentiality, integrity, and availability of its electronic protected health information (ePHI);
• Review and revise, as necessary, its written policies and procedures to comply with HIPAA’s Privacy and Security Rules;
• Update its enterprise-wide Risk Management Plan strategy to protect the confidentiality, integrity, and availability of ePHI and to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis; and,
• Provide workforce training on HIPAA policies and procedures and submit their training materials (written or electronic certifications including training dates) to HHS for approval.

The resolution of this active investigation brings home the reality of a ransomware attack upon a mid-sized employer and the potential consequences, including a federal agency-imposed “CAP.” Keep in mind, the employer first had to resolve its ransomware infection status before it could even address the elements of OCR’s complaint. Thus, identification and mitigation of harms resulting from such attacks is generally conducted in a multitiered fashion, restoring business as usual operations, and followed up with performing the OCR inquiry and audit process associated with the breach. These operations can lead to significant drains upon fiscal and human

More Information

Employers are encouraged to visit the following websites for additional information:

• HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
• OCR Cybersecurity Video: https://www.youtube.com/watch?v=VnbBxxyZLc8
• Cybersecurity and Infrastructure Security Agency (CISA) & HHS Cybersecurity toolkit: https://www.cisa.gov/topics/cybersecurity-best-practices/healthcare

For questions regarding this Legislative Update or any other related compliance issues, please contact your Burnham Benefits Consultant or Burnham Benefits at 949‐833‐2983 or inquiries@burnhambenefits.com.

This Legislative Update was prepared by the Baldwin Regulatory Compliance Collaborative (the “BRCC”), a partnership of compliance professionals offering client support and compliance solutions for the benefit of the Baldwin Risk Partners organization, which includes: Jason Sheffield, BRP National Director of Compliance; Richard Asensio, Burnham Benefits Insurance Services; Nicole L. Fender, the Capital Group; Bill Freeman, AHT Insurance; Stephanie Hall, RBA/TBA; Caitlin Hillenbrand, AHT Insurance; Paul Van Brunt, Baldwin Krystyn Sherman Partners (BKS); and Natashia Wright, Insgroup.

Burnham Benefits and the BRCC do not engage in the practice of law and this publication should not be construed as the providing of legal advice or a legal opinion of any kind. The consulting advice we provide is intended solely to assist in assessing its compliance with applicable federal and state law requirements, and is based on our interpretation of federal guidance in effect as of the date of this publication. To the best of our knowledge, the information provided herein, and assumptions relied on, are reasonable and accurate as of the date of this publication. Furthermore, to ensure compliance with IRS Circular 230, any tax advice contained in this publication is not intended to be used, and cannot be used, for purposes of (i) avoiding penalties imposed under the United States Internal Revenue Code or (ii) promoting, marketing or recommending to another person any tax-related matter.