Health clinic faces $40,000 fine for HIPAA violations related to lax cybersecurity practices

HHS scrutinizing cybersecurity practices: ©Billionphotos - stock.adobe.com

A behavioral health clinic was hit by a $40,000 fine for alleged lax cybersecurity practices following a ransomware attack.

The U.S. Department of Health and Human Services' Office for Civil Rights imposed the $40,000 fine on Green Ridge Behavioral Health, a Maryland-based psychiatric health services provider, for violations of the HIPAA in connection with a ransom attack that occurred in 2019.

The ransom attack targeted Green Ridge's systems, encrypting the health care records of approximately 14,000 patients. Despite the company's decision not to pay the ransom and successfully restore their systems from backups, an investigation by HIPAA revealed significant non-compliance with regulations, according to HHS.

Green Ridge Behavioral Health was found to have neglected to conduct an accurate and thorough analysis of potential risks and vulnerabilities to electronic protected health information. Additionally, the company failed to implement adequate security measures to mitigate risks, and lacked sufficient monitoring of its health information systems' activity to protect against cyberattacks.

As part of the settlement terms, HHS mandated several corrective actions for Green Ridge, including a comprehensive analysis of potential risks and vulnerabilities, the development of a Risk Management Plan, and a review and revision of written policies and procedures to align with HIPAA Rules. Workforce training on HIPAA policies, an audit of third-party arrangements, and a reporting mechanism for HIPAA non-compliance were also stipulated.

This marks the second instance where OCR has fined a HIPAA-regulated company for violations identified during a ransomware investigation, underscoring the increasing scrutiny and enforcement of cybersecurity standards in the healthcare sector.

Steve Hahn, executive vice president, at cybersecurity firm BullWall, emphasized the critical nature of cybersecurity in the health care sector, stating: "Ransomware attacks on medical service providers have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services but also compromise the security of sensitive patient information."

Hahn further noted the unique vulnerability of health care organizations, stating, "Hospitals and health care organizations are particularly attractive targets for cybercriminals, and their reliance on technology makes them uniquely vulnerable. It is very encouraging to see OCR enforcing compliance with a cybersecurity 'best practices' approach for providers."

Mark B. Cooper, president and founder of PKI Solutions, highlighted the significance of the fine as a wake-up call for security teams in health services providers. He urged a shift toward proactive monitoring and visibility, emphasizing that medical records are more valuable to hackers than credit card numbers or Social Security numbers.

"The fact that this is only the second time OCR has fined a HIPAA company for violations after a cyberattack should be a wake-up call for the security teams at every health services provider," Cooper warned. "Invest in proactive monitoring and visibility now or pay later."