One Sunday afternoon, an employee of Mind and Motion, when she couldn’t access any of their files, realized that their server had been hacked. Upon discovery of the breach, the employee reached out to the Practice Administrator and the Clinical Director, letting them know that she thought there was something wrong.
It was immediately apparent that they had suffered a ransomware attack, as all of their files were maliciously encrypted, and hackers were demanding a ransom for the return of the files. The server in question contained the protected health information (PHI) of approximately 16,000 patients, going back to 1995.
As a client of Compliancy Group, Mind and Motion knew they could count on Compliancy Group to support them through their audit. Compliancy Group’s Audit Response Team was quickly able to tell Mind and Motion everything they needed to do, and what to expect in the forthcoming audit. When the HHS sent Mind and Motion the letter informing them of their upcoming audit, they were already prepared with how they were going to respond, thanks to the expertise of Compliancy Group.
“Compliancy Group did a great job of taking a task, that seems overwhelming at first, and simplifying it. Providing a plan and direction was extremely helpful,” Davey Cantor, Practice Administrator, Mind and Motion. Using Compliancy Group saved Mind and Motion from potential massive fines, fees, and liabilities, as well as time that they didn’t have to address HIPAA compliance on their own.
In response to the incident, Mind and Motion called their third-party IT company, also known as a managed service provider (MSP), for advice. The IT company came into Mind and Motion’s office and removed the server, to isolate it from the network, and prevent further damage. They then did an audit to attempt to figure out how they had been hacked.
As required under HIPAA law, Mind and Motion reported the breach to the Department of Health and Human Services (HHS) through their online breach reporting portal, and then reached out to Compliancy Group for audit support. Compliancy Group provided them with the security risk analysis reports to prove that their IT structure, and their internal policies and procedures were HIPAA compliant.
“Especially dealing with an audit, you want to go with someone that has experience dealing with these things. You don’t know what you don’t know, and HIPAA can be kind of complicated. And if you just want the peace of mind to be able to operate in a way that is compliant, then for me, in terms of affordability, professionalism, ease of use, and service, I would highly recommend you guys,” Davey Cantor, Practice Administrator, Mind and Motion.
Being proactive about their compliance was a major factor in the HHS absolving Mind and Motion of any wrongdoing. They were able to prove that they had made every effort to be HIPAA compliant. Compliancy Group walked Mind and Motion through the entire audit process, including employee training, remediation efforts, and notifying patients of the breach. Luckily, Mind and Motion had backed up their files, and they were able to recover them soon after the incident, without having to pay the ransom.
“Bad things happen to good people — any organization can be the victim of a breach — we help keep clients and their offices safe with HIPAA compliance. Nobody is perfect, HIPAA compliance is about proving that you have made every effort to keep your patient information safe,” Marc Haskelson, CEO, Compliancy Group.
Mind and Motion Developmental Centers of Georgia is a multidisciplinary treatment facility in Johns Creek providing complementary services, such as Psychological Testing, qEEG Brain Mapping, Neurotherapy, Allied Health and Mental Health services to children and adults seeking help with various life issues. Their mission is to create a model practice that can become a national and world standard for applying brain-behavior sciences in actual practice.