Medical Economics Logo
  • Physicians Money Digest

  • Physicians Financial News

  • Physicians Practice

  • Chief Healthcare Executive

  • Patient Care Online

All NewsCareersLegalMoneyOpinionPhysicians Financial NewsPractice ManagementTechnology
Around the PracticeBetween The LinesClinical ConsultExpert InterviewsMedical Economics PulseMedical World NewsOff The Charts PodcastsPhysician ReportPrimaryViewSlideshows
Academy
Conference CoverageConference Listing
Medical EconomicsPatient Care SupplementSponsored ContentSponsored ResourcesSupplements And Featured Publications
CME/CEJob BoardSubscribe
Financial Advisor Guide
CareersCareersCareersCareersCareersCareersCareersCareersCareers
LegalLegalLegalLegalLegal
Medical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & Technology
Opinion
Physician's Money DigestPhysician's Money DigestPhysician's Money DigestPhysician's Money Digest
PolicyPolicyPolicyPolicyPolicyPolicy
Practice FinancePractice FinancePractice FinancePractice FinancePractice FinancePractice FinancePractice Finance
Practice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice Management
Practice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice Technology
Screening
Special ReportsSpecial ReportsSpecial Reports
Spotlight -
  • The benefits of a physician MBA program
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Physician Bootcamp
  • Physician Report
CareersCareersCareersCareersCareersCareersCareersCareersCareers
LegalLegalLegalLegalLegal
Medical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & TechnologyMedical Device & Technology
Opinion
Physician's Money DigestPhysician's Money DigestPhysician's Money DigestPhysician's Money Digest
PolicyPolicyPolicyPolicyPolicyPolicy
Practice FinancePractice FinancePractice FinancePractice FinancePractice FinancePractice FinancePractice Finance
Practice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice ManagementPractice Management
Practice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice TechnologyPractice Technology
Screening
Special ReportsSpecial ReportsSpecial Reports
    • Academy
    • CME/CE
    • Job Board
    • Subscribe
Advertisement

News

Article

February 23, 2024

Health clinic faces $40,000 fine for HIPAA violations related to lax cybersecurity practices

Author(s):

Todd Shryock

HHS is applying increased scrutiny to health care cybersecurity practices

HHS scrutinizing cybersecurity practices: ©Billionphotos - stock.adobe.com

HHS scrutinizing cybersecurity practices: ©Billionphotos - stock.adobe.com

A behavioral health clinic was hit by a $40,000 fine for alleged lax cybersecurity practices following a ransomware attack.

The U.S. Department of Health and Human Services' Office for Civil Rights imposed the $40,000 fine on Green Ridge Behavioral Health, a Maryland-based psychiatric health services provider, for violations of the HIPAA in connection with a ransom attack that occurred in 2019.

The ransom attack targeted Green Ridge's systems, encrypting the health care records of approximately 14,000 patients. Despite the company's decision not to pay the ransom and successfully restore their systems from backups, an investigation by HIPAA revealed significant non-compliance with regulations, according to HHS.

Green Ridge Behavioral Health was found to have neglected to conduct an accurate and thorough analysis of potential risks and vulnerabilities to electronic protected health information. Additionally, the company failed to implement adequate security measures to mitigate risks, and lacked sufficient monitoring of its health information systems' activity to protect against cyberattacks.

As part of the settlement terms, HHS mandated several corrective actions for Green Ridge, including a comprehensive analysis of potential risks and vulnerabilities, the development of a Risk Management Plan, and a review and revision of written policies and procedures to align with HIPAA Rules. Workforce training on HIPAA policies, an audit of third-party arrangements, and a reporting mechanism for HIPAA non-compliance were also stipulated.

This marks the second instance where OCR has fined a HIPAA-regulated company for violations identified during a ransomware investigation, underscoring the increasing scrutiny and enforcement of cybersecurity standards in the healthcare sector.

Steve Hahn, executive vice president, at cybersecurity firm BullWall, emphasized the critical nature of cybersecurity in the health care sector, stating: "Ransomware attacks on medical service providers have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services but also compromise the security of sensitive patient information."

Hahn further noted the unique vulnerability of health care organizations, stating, "Hospitals and health care organizations are particularly attractive targets for cybercriminals, and their reliance on technology makes them uniquely vulnerable. It is very encouraging to see OCR enforcing compliance with a cybersecurity 'best practices' approach for providers."

Mark B. Cooper, president and founder of PKI Solutions, highlighted the significance of the fine as a wake-up call for security teams in health services providers. He urged a shift toward proactive monitoring and visibility, emphasizing that medical records are more valuable to hackers than credit card numbers or Social Security numbers.

"The fact that this is only the second time OCR has fined a HIPAA company for violations after a cyberattack should be a wake-up call for the security teams at every health services provider," Cooper warned. "Invest in proactive monitoring and visibility now or pay later."

Newsletter

Stay informed and empowered with Medical Economics enewsletter, delivering expert insights, financial strategies, practice management tips and technology trends — tailored for today’s physicians.

Subscribe Now!
Related Videos
The new standard for medical malpractice: A conversation with Daniel G. Aaron, M.D., J.D.
The new standard for medical malpractice: What to watch for
The new standard for medical malpractice: A step toward ending defensive medicine?
The new standard for medical malpractice: Can doctors be liable for doing what everyone else does?
The new standard for medical malpractice: What makes a clinical guideline legally defensible?
The new standard for medical malpractice: What it means for day-to-day practice
The new standard for medical malpractice: What changed?
The new standard for medical malpractice: Why the law just changed
ACP policy update 2025: A conversation with Brian E. Outland, PhD
ACP policy update 2025 interview
Related Content
Advertisement
Protect your assets with solid strategies: ©kamon saejueng - stock.adobe.com
July 18th 2025

Asset protection strategies for primary care physicians: Safeguarding your future

Off the Chart: A Business of Medicine Podcast - Ep. 73: Why physicians are suing RFK Jr., with attorney Richard H. Hughes IV, J.D., M.P.H.
July 14th 2025

Ep. 73: Why physicians are suing RFK Jr., with attorney Richard H. Hughes IV, J.D., M.P.H.

DOJ drops charges against Utah physician accused in COVID-19 fraud scheme © Tada Images - stock.adobe.com
July 14th 2025

DOJ drops charges against Utah physician accused in COVID-19 fraud scheme

Off the Chart: A Business of Medicine Podcast - Ep. 68: Hidden risks of prescribing GLP-1 drugs with Ericka L. Adler, J.D., of Roetzel & Andress
June 9th 2025

Ep. 68: Hidden risks of prescribing GLP-1 drugs with Ericka L. Adler, J.D., of Roetzel & Andress

Biggest health care fraud crackdown in U.S. history targets $14.6 billion in alleged scams © Heidi - stock.adobe.com
June 30th 2025

Biggest health care fraud crackdown in U.S. history targets $14.6B in alleged scams

Andrea Greco, SVP of healthcare safety at CENTEGIX
June 26th 2025

Safety starts with trust: Reassessing real-time location systems in health care

Related Content
Advertisement
Protect your assets with solid strategies: ©kamon saejueng - stock.adobe.com
July 18th 2025

Asset protection strategies for primary care physicians: Safeguarding your future

Off the Chart: A Business of Medicine Podcast - Ep. 73: Why physicians are suing RFK Jr., with attorney Richard H. Hughes IV, J.D., M.P.H.
July 14th 2025

Ep. 73: Why physicians are suing RFK Jr., with attorney Richard H. Hughes IV, J.D., M.P.H.

DOJ drops charges against Utah physician accused in COVID-19 fraud scheme © Tada Images - stock.adobe.com
July 14th 2025

DOJ drops charges against Utah physician accused in COVID-19 fraud scheme

Off the Chart: A Business of Medicine Podcast - Ep. 68: Hidden risks of prescribing GLP-1 drugs with Ericka L. Adler, J.D., of Roetzel & Andress
June 9th 2025

Ep. 68: Hidden risks of prescribing GLP-1 drugs with Ericka L. Adler, J.D., of Roetzel & Andress

Biggest health care fraud crackdown in U.S. history targets $14.6 billion in alleged scams © Heidi - stock.adobe.com
June 30th 2025

Biggest health care fraud crackdown in U.S. history targets $14.6B in alleged scams

Andrea Greco, SVP of healthcare safety at CENTEGIX
June 26th 2025

Safety starts with trust: Reassessing real-time location systems in health care

About
Advertise
Contact Us
Editorial Staff
Job Board
Terms and Conditions
Contributor Guidelines
Privacy Policy
Do Not Sell My Personal Information
Contact Info

2 Commerce Drive
Cranbury, NJ 08512

609-716-7777

© 2025 MJH Life Sciences

All rights reserved.