A medical management firm based in Massachusetts, Doctor Management Group, has become the first victim of a ransomware attack to be fined for a data breach by the Department of Health and Human Services (HHS). Doctor Management Group has agreed to a financial settlement of $100,000 and will undergo three years of HIPAA compliance monitoring. This resolution follows an investigation into a ransomware breach that was reported in 2019, affecting approximately 206,700 individuals.
The HHS Office for Civil Rights (OCR) confirmed that this settlement marks the agency’s first HIPAA enforcement action in a case involving ransomware. The move underscores the increasing prevalence of ransomware attacks targeting the healthcare system, leaving hospitals and patients vulnerable to data breaches, according to Melanie Fontes Rainer, HHS OCR director.
Since 2019, the HHS OCR has noted a 239% increase in major health data breaches reported to the agency involving hacking and a 278% increase in incidents related to ransomware. In 2023, hacking accounted for 77% of large breaches reported to the OCR, affecting more than 88 million individuals, a 60% increase from the previous year.
The investigation into Doctor Management Group found potential HIPAA violations, including the failure to conduct an accurate and thorough HIPAA security risk analysis, failure to implement procedures for regularly reviewing records of information system activity, and failure to implement reasonable and appropriate policies and procedures to comply with various HIPAA Security Rule requirements.
Under the terms of the resolution agreement, Doctor Management Group will take corrective actions, including updating its risk analysis, revising its policies and procedures to comply with HIPAA privacy and security rules, and providing workforce training. The company will also undergo HIPAA compliance monitoring by the HHS OCR for three years.
Doctor Management Group has stated that it takes the fine seriously and has taken steps to enhance its security measures to protect patient privacy. The breach affected approximately 40 clients, most of whom practice in Massachusetts across various healthcare specialties.
While this enforcement case is driven by a ransomware attack, the ultimate findings do not appear to be specific to ransomware. Privacy attorney Kirk Nahra noted that the issues raised in this case are similar to the alleged security failures that OCR has pursued in other situations for years. Nonetheless, organizations need to have an incident response plan for ransomware, considering the potential implications for both privacy and business operations.
In addition, Nahra emphasized the importance of comprehensive risk assessment and risk management activities to address all potential security incidents, whether related to ransomware or other threats. He urged regulators to continue to be thoughtful and reasonable in their approach to security operations and not adopt a “blame the victim” stance when organizations have implemented reasonable and appropriate security procedures in good faith.