Healthcare breaches, and an HHS settlement.
By Tim Nodar, CyberWire senior staff writer
Nov 3, 2023

The US Department of Health and Human Services settles a HIPAA case involving a data breach.

Healthcare breaches, and an HHS settlement.

The US Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) has reached a $100,000 HIPAA (Health Insurance Portability and Accountability Act) settlement with a Massachusetts medical management company, Doctors’ Management Services, over a ransomware attack the company sustained in 2018.

A nine-month delay in detection.

HHS states, “On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

“OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.”

Ransomware as a threat to public health.

Jan Lovmand, CTO at BullWall, wrote, in emailed comments, “Ransomware attacks on hospitals have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, postponing critical surgeries and treatments and putting patients' lives at risk, but also compromise the security of sensitive patient information. The impact of these attacks can be devastating, as they can leave hospitals struggling to recover their data and regain control of their systems. Whether the ransom is paid or not, the costs in dollars and lost patient care severely cripple these already struggling institutions.”

The healthcare sector’s reliance on technology renders it attractive to extortionists, Lovmand said. “Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. This is compounded by their limited resources to invest in cybersecurity measures. But with ransomware continuing to be a significant threat to these organizations, investments must be made to contain these attacks, eliminating the need to resort to a complete shutdown of IT systems, and healthcare services.”

Dave Ratner, CEO at HYAS, described the attractiveness of the data healthcare providers handle. “Healthcare organizations are increasingly under attack because of the value of the data they hold. In addition to regularly reviewing risks, records, and updating policies, organizations need to assume that they will be breached and ensure that they have the required visibility internally to detect a breach, isolate it, and shut it down before the criminals exfiltrate and/or encrypt data. Ensuring that they are resilient to breaches is the only path forward.”