Global Edition
Compliance & Legal

OCR settles with DMS for ransomware breach

While the agreement is not an admission of liability, Doctors’ Management Services has agreed to pay a penalty of $100,000 and be subject to HIPAA-compliance monitoring by OCR for three years.
By Andrea Fox
November 01, 2023
06:44 PM

Photo: Ekaterina Bolovtsova/Pexels

Following an investigation into the breach of the protected health information of 206,695 individuals, the U.S. Health and Human Services and the Office of Civil Rights announced a settlement with Doctors’ Management Services – which provides medical billing, payor credentialing and other third-party healthcare services to several covered entities.

WHY IT MATTERS

Massachusetts-based DMS reported in April 2019 that an unauthorized third party gained access to its network on April 1, 2017, and was active in its system until it deployed ransomware on December 24, 2018.

According to OCR, the breach report filed with HHS stated that PHI was exposed when its network server was infected with GandCrab ransomware.

OCR's investigation of the incident under HIPAA Privacy, Security and Breach Notification Rules found evidence of potential failures, insufficient system monitoring to protect against a cyberattack and a lack of HIPAA policies and procedures to implement privacy requirements of the HIPAA.

The agency said as a business associate of covered entities, DMS did not have adequate measures in place to protect the confidentiality, integrity and availability of electronic PHI.

"DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports," HHS said in a statement Tuesday.

Monitoring and numerous other cybersecurity best practices should be employed regularly across an enterprise to prevent future attacks, according to OCR Director Melanie Fontes Rainer.

The corrective action plan DMS agreed to identifies the steps it must take to protect ePHI and maintain compliance with HIPAA, and include:

  • Review and update its risk analysis to identify the potential risks and vulnerabilities to data within 180 days of the plan's effective date.
  • Update the company's enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the approved risk analysis within 90 days of the latter's approval.
  • Review and revise written policies and procedures to comply with HIPAA within 60 days from the approval of the updated risk management plan.
  • Provide each workforce member who has access to PHI with training on approved HIPAA policies and procedures within 60 days and then every 12 months.

DMS must provide annual reports on compliance with the three-year CAP.

THE LARGER TREND

"Over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware," according to HHS. Hacking has already increased 60% from last year, the agency added, and has affected more than 88 million individuals in 2023.

For several years, the cybersecurity practices of business associates have been known to cause healthcare data breaches

GandCrab targeted older Windows PCs no longer supported by Microsoft with Server Message Block vulnerabilities. 

SMB allowed Microsoft Windows computers to share files, serial ports and printers across a network on legacy systems. Using the National Security Agency EternalBlue exploit – the same hacking tools used in WannaCry and Petya – GandCrab spread through spam email, fake software cracking sites and malicious WordPress sites.

"If we are lazy about patching and upgrading our systems sector-wide, GandCrab will be (somewhat) problematic for the healthcare sector," said Lee Kim, HIMSS senior principal of cybersecurity and privacy.

"But, it’s not the 1990s anymore and many healthcare organizations are a bit more proactive with their cybersecurity programs,” she told Healthcare IT News in July 2018.

Third-party cybersecurity risks from business associates like DMS have required healthcare organizations to prioritize security in procurement, review every contract regularly, deploy identity- and access-management software throughout networks and systems, implement best practices for cyber hygiene, and much more.

ON THE RECORD

"Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system," Rainer said in the announcement. "This leaves hospitals and their patients vulnerable to data and security breaches.

"In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities, along with proactively and regularly review risks, records and update policies," she added. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Financial/Revenue Cycle Management, Network Infrastructure, Privacy & Security

More regional news

Vanderbilt and Duke awarded $1.25M to study HCO AI maturity

By
Andrea Fox
November 10, 2023

Mount Sinai slashes 10-year IT capital costs by moving to the cloud

By
Bill Siwicki
November 10, 2023
Stethoscope on iPad for podcast

HIMSSCast: Major system transition best practices

By
Bill Siwicki
November 10, 2023
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Success Stories & ROI
Mount Sinai slashes 10-year IT capital costs by moving to the cloud

Most Read

Western Health embarks on workplace modernisation
Russians who deployed ransomware against hospitals are charged
Epic gains new EHR clients as Intermountain and UPMC move from Cerner
Hira developing single API access for developers
NIST releases draft algorithms for quantum-resistant cryptography
Cybersecurity tabletop board game pits hackers vs. defenders

Research

White Papers

More Whitepapers

Artificial Intelligence
Analytics
Precision Medicine

Webinars

More Webinars

Analytics
Analytics
Privacy & Security

Video

Nick McGhie at South Western Sydney PHN_Aerial view of Jakarta/Hani Santosa/iStock/Getty Images Plus
Building patient trust led to 20,000 consenting to iRAD
Dr I-Rue Lai at National Taiwan University Hospital_Aerial view of Jakarta/Hani Santosa/iStock/Getty Images Plus
National Taiwan University Hospital pilots value-based care efforts
Gina Bertolini at K&L Gates_Photo: Ransomware animation by mrcmrc/Getty Images
The best way to understand gaps in your IT
Maria Hassel, Swedish eHealth Agency's international coordinator
During its EU presidency, Sweden brokered negotiations to accelerate EHDS legislation

More Stories

Dr I-Rue Lai at National Taiwan University Hospital_Aerial view of Jakarta/Hani Santosa/iStock/Getty Images Plus
National Taiwan University Hospital pilots value-based care efforts
Covenant Health on philanthropic aid
How St. Joseph Hospital achieved a 420% increase in patient philanthropic aid
Two people in lab coats work with monitor
Democrats press CMS on AI-based claims denials in Medicare Advantage
Doctor sits at a desktop and dictates notes into an EHR
EHR documentation burdens increasing with virtual care expansion, says study
Gina Bertolini at K&L Gates_Photo: Ransomware animation by mrcmrc/Getty Images
The best way to understand gaps in your IT
Person wearing VR goggles at doctor's office
VR roundup: FDA clears new device for pain, Stanford says immersive therapeutics can help seniors
Lynn Carroll of HSBlox on AI
Value-based care needs a specific IT infrastructure – and yes, AI is part of it
Maria Hassel, Swedish eHealth Agency's international coordinator
During its EU presidency, Sweden brokered negotiations to accelerate EHDS legislation