On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.

These new settlements, which are summarized in more detail below, serve as an important reminder that all health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA should develop, implement, and maintain the following best practices to mitigate the impact of a cyber-attack resulting in a breach of protected health information:

  1. Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  2. Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
  3. Ensure audit controls are in place to record and examine information system activity.
  4. Implement regular review of information system activity.
  5. Utilize multi-factor authentication to ensure only authorized users are accessing PHI.
  6. Encrypt PHI to guard against unauthorized access.
  7. Incorporate lessons learned from incidents into the overall security management process.
  8. Provide training specific to the organization and job responsibilities on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Ransomware Cyber-Attack Investigation Settlement

On Oct. 31, 2023, OCR issued a press release announcing that it had reached its first ever ransomware-related settlement agreement with a HIPAA-regulated entity, Doctors’ Management Services (DMS), as a result of OCR’s investigation into a breach reported by the entity which was purportedly caused by a ransomware attack. OCR’s announcement stated that DMS filed its breach report on April 22, 2019, stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, DMS did not detect the intrusion until Dec. 24, 2018, after ransomware was used to encrypt its files. In April 2019, OCR began its investigation.

As a result of the investigation, OCR’s findings indicated that the following conduct occurred:

  1. DMS failed to conduct an accurate and thorough risk analysis that assesses technical, physical, and environmental risks and vulnerabilities associated with handling PHI;
  2. DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and
  3. DMS failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the security rule.

In addition to the $100,000 settlement amount to be paid by DMS, the settlement agreement also requires DMS to operate in accordance with a Corrective Action Plan (CAP) as provided by OCR for a term of three (3) years from the date of the settlement agreement. Notably, while the CAP focuses primarily on remedying the gaps identified during OCR’s investigation, it also requires DMS to submit to OCR all newly developed or revised policies and procedures – each of which must be approved by OCR prior to DMS’ implementation and distribution internally. For example, the following obligation is set forth in DMS’ CAP:

“DMS shall provide the revised policies and procedures identified in section V.B.1 above to HHS for review and approval within sixty (60) days of HHS’ approval of its updated Risk Analysis, as required by A.2.  Upon receiving any recommended changes to such policies and procedures from HHS, DMS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.  This process shall continue until HHS approves such revised policies and procedures.”

Furthermore, the CAP identifies several steps that DMS must take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of PHI, including: (i) review and update its risk analysis to identify the potential risks and vulnerabilities to DMS’ data to protect the confidentiality, integrity, and availability of electronic protected health information; (ii) update its enterprise-wide Risk Management Plan — strategy to protect the confidentiality, integrity, and availability of ePHI — to address and mitigate any security risks and vulnerabilities found in the updated risk analysis; and (iii) provide workforce training on HIPAA policies and procedures — as approved by OCR.

Phishing Cyber-Attack Investigation Settlement

On Dec. 7, 2023, OCR issued a press release announcing that it had reached its first ever phishing-related settlement agreement with a HIPAA-regulated entity, Lafourche Medical Group (LMG), as a result of OCR’s investigation into a breach reported by the entity, which was found to be caused by a successful phishing attack. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source.

According to OCR’s announcement, on May 28, 2021, LMG filed a breach report with OCR stating that an unauthorized individual obtained access to one of LMG’s owners’ email accounts through a phishing attack that took place on March 30, 2021. While LMG determined that the impacted email account did contain PHI, LMG was unable to identify the specific patients affected. Therefore, LMG notified all of its patients – approximately 34,862 individuals, of the incident.

On Jan. 13, 2022, OCR notified LMG of its investigation into LMG’s compliance with the applicable HIPAA Privacy, Security, and Breach Notification Rules. OCR’s investigation revealed that, prior to the 2021 reported breach, LMG failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic PHI across the organization as required by HIPAA. OCR also discovered that LMG had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks.

Similar to the settlement agreement reached by OCR and DMS just a few weeks prior, LMG agreed to pay a $480,000 settlement amount to OCR and to implement a CAP that will be monitored for two years by OCR. The CAP includes: (i) establishing and implementing security measures to reduce security risks and vulnerabilities to electronic PHI; (ii) developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules; and (iii) providing training to all staff members who have access to PHI on HIPAA policies and procedures.

Highlighting Health Care’s Vulnerability

It seems that every day, another hospital is in the news as the victim of a data breach. The routine is familiar – individuals receive notification by email of the breach, paired reassuringly with two free years of credit and identity monitoring. According to the Ponemon Institute and Verizon Data Breach Investigations Report, the health industry experiences more data breaches than any other sector. Although there may be some potential for bias in this claim, due to the well-defined, legally mandated reporting requirements of HIPAA, making it more likely health care breaches will be reported compared to breaches in other sectors, the numbers continue to rise.

Undeniably, ransomware and hacking are the primary cyber threats in health care. In the past four years, there has been a 239% increase in large breaches — breaches impacting 500 or more individuals — reported to OCR involving hacking and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year.

In a statement by OCR Director, Melanie Fontes Rainer, related to the settlement reached with DMS, Rainer made it clear that the “settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” Additionally, Rainer stated that, “in this ever-evolving space, it is critical that our health care systems take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

Key Takeaways – How to Prepare for the Inevitable

While these two specific incidents experienced by Doctors’ Management Services and Lafourche Medical Group may have resulted in the first OCR settlements related to ransomware and phishing attacks – they will likely not be the last. The risks associated with settlements related to ransomware and phishing attacks underscore how important it is for HIPAA covered entities and business associates to develop, implement, and maintain the HIPAA compliance best practices described above.

Implementing administrative and technical security controls to address the confidentiality, integrity, and availability of protected health information is a complex and resource-intensive process for many organizations. Additionally, responding to a data breach or regulatory investigation can be extremely difficult without the assistance of legal counsel and other specialists with experience in this area of the law. As such, organizations should seek qualified legal counsel whenever making determinations about legal or compliance obligations.

Taft strives to provide regular updates regarding legal developments impacting clients. Please contact the authors of this article with any questions on the implications of these settlements or for additional information. For more information on data privacy and security regulations or other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.