The U.S. Department of Health and Human Services (HHS) has concluded a data breach investigation from 2018 involving Doctors’ Management Services. They have reached a resolution, imposing a penalty of USD 100,000 to settle the matter.
The HHS cyberattack settlement is the first-ever agreement reached by the Health and Human Services’ Office for Civil Rights (OCR) to date.
What Led to the HHS Cyberattack Settlement?
The Doctors’ Management Services (DMS), a healthcare business associate and medical management company based in Massachusetts, suffered a ransomware attack in 2018. This cyberattack was orchestrated by the GandCrab ransomware gang and had impacted 206,695 individuals associated with the DMS at that time.
The threat actors began with their initial intrusion attempts in 2017. However, the breach could be detected in December 2018 when their files were encrypted by the GandCrab ransomware. A formal report was filed in the year 2019 and then OCR launched an investigation into the incident.
During the investigation, OCR spotted several red flags that had been ignored by the Doctors’ Management Services. OCR highlighted the failure of DMS in analyzing risks and vulnerabilities to their electronically protected health information records, insufficient monitoring of health information systems to defend against a cyberattack, non implementation of the HIPAA Security Rules.
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer.
The Doctors’ Management Services has agreed to pay a USD 100,000 HHS cyberattack settlement penalty and implement a corrective plan of action to prevent such cybersecurity failures in the future.
DMS’ Corrective plan of action included a review and update of its risk analysis procedure and an update of the wide risk management plan for the enterprise.
They have also agreed to revise their policies for better compliance with the HIPAA Privacy and Security Rules and train their staff on the policies of HIPAA.
Melanie said, “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
In the wake of increasing cyberattacks on healthcare organizations, the OCR has recommended reviewing vendor relationships, multi-factor authentication, and conducting a time-to-time risk analysis, to prevent similar incidents from harming the healthcare infrastructure in the US.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.