Skip to main content
close search
site logo
Dive Brief

HHS announces first ransomware settlement

Doctors’ Management Services agreed to settle claims it did not comply with HIPAA breach rules and failed to identify risks after a cyberattack exposed the information of more than 200,000 patients.

Published Nov. 1, 2023
By
Staff Reporter
A single opened padlock glows red among rows of closed blue padlocks.
JuSun via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The HHS announced its first settlement related to a healthcare ransomware attack on Monday with Massachusetts-based medical management company Doctors’ Management Services.
  • Under the settlement, Doctors’ Management will pay $100,000 dollars and undergo a corrective action plan to resolve claims it violated HIPAA breach rules and failed to identify vulnerabilities in its systems before experiencing a breach in 2017 that impacted the private health information of 206,695 individuals. 
  • The HHS Office for Civil Rights called ransomware and hacking the “primary cyber-threats in health care” and warned that companies must take steps to identify and address cybersecurity vulnerabilities as attacks in the industry escalate.

Dive Insight:

Healthcare data breaches are on the rise as companies increasingly rely on electronic health records to store private health information and cyber criminals seize opportunities to exploit vulnerabilities.

Large breaches reported to the OCR have increased by 239% over the past four years, alongside a 278% increase in ransomware incidents, according to a press release. The scale of attacks is also increasing. Large attacks have impacted the records of 88 million individuals so far this year, up 60% from last year, according to the agency. 

The Doctors’ Management breach first occurred in April 2017 and was identified in December 2018. The company reported the breach to OCR in April 2019, after determining their network had been infected with GandCrab ransomware.

In the settlement, the HHS alleged that Doctors’ Management failed to assess risks, monitor and protect health data from potential cyberattacks. To ensure compliance, the OCR placed the company on a corrective plan and will monitor the firm for three years.

As part of the corrective action plan, Doctors’ Management will be required to review and update its risk analysis to identify the potential risks and vulnerabilities to its data, update its enterprise-wide risk management plan accordingly and review its policies and procedures regarding compliance with HIPAA breach notice guidance. The company will also provide workforce training on HIPAA policies and procedures. 

Recently, cyberattacks have affected major hospitals like HCA Healthcare and CommonSpirit Health. An attack targeting Prospect Medical Holdings this year cut access to key computer systems for weeks, forcing some hospitals to temporarily suspend patient services.

Attacks often prove costly. Last year, hospital operators said their most costly incident averaged $4.9 million in disruptions to system operations.

Recommended Reading

Filed Under: Health IT, Government

Editors' picks

Company Announcements

View all | Post a press release
Wiley to Expand Reach and Impact of Medical Education Programs to More Than 2.8 million Health…
From Wiley
July 31, 2024
Jo Abernathy Joins Catalyst Solutions as Advisory Board Member
From Catalyst Solutions
July 31, 2024
HearUSA Ranked a Top Hearing Care Retailer in Newsweek’s America's Best Retailers 2024
From HearUSA
July 30, 2024
Healthworx partners with Highmark Inc, LifeBridge Health for new accelerator program
From Healthworx
July 30, 2024
Editors' picks
Latest in Health IT
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell