On February 21, 2024, Green Ridge Behavioral Health agreed to a settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The HHS settlement, resulting from an investigation into a 2019 ransomware attack, requires the behavioral health provider to pay $40,000, implement a corrective action plan, and submit to three years of OCR monitoring.
In October 2023, HHS settled its first ransomware investigation with a business associate for $100,000.
The Ransomware Attack and OCR Investigation
In February 2019, Green Ridge Behavioral Health submitted a breach report to OCR, informing the HIPAA enforcers that it had suffered an attack on its network server, compromising the protected health information (PHI) of more than 14,000 patients.
The hackers who broke into the behavioral health provider’s server encrypted patient files and demanded ransom for their return.
“Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”
During its investigation, OCR found that the healthcare provider potentially violated HIPAA Privacy and Security Rules at the time of the breach. According to OCR, the behavioral health provider failed to:
- Conduct an accurate and thorough security risk assessment (SRA) to identify potential risks and vulnerabilities to electronic PHI
- Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
- Monitor its health information systems’ activity to protect against a cyberattack
The corrective action plan (CAP) agreed to by both parties aims to prevent a similar incident from reoccurring. Under the terms of the CAP, Green Ridge Behavioral Health must:
- Conduct a comprehensive and thorough SRA
- Create a Risk Management Plan to address and mitigate security risks
- Review and revise written HIPAA policies and procedures
- Provide workforce HIPAA training
- Conduct an audit of all third-party arrangements to ensure appropriate business associate agreements (BAAs) are in place
- Report to OCR when workforce members fail to comply with HIPAA
