Ransomware Attack Leads to Financial Penalty for Maryland Psychotherapy Center

How Often Do You Need HIPAA Training?

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that a second financial penalty has been imposed to resolve HIPAA violations that led to a ransomware attack. Green Ridge Behavioral Health, a Maryland-based provider of psychotherapy, medication management, and psychiatric evaluations, has agreed to pay a financial penalty of $40,000 and adopt a Corrective Action Plan (CAP) to resolve the alleged HIPAA violations.

In February 2019, Green Ridge Behavioral Health reported a ransomware attack and data breach to OCR involving the protected health information (PHI) of 14,000 individuals. OCR launched an investigation, as it does with all breaches of 500 or more healthcare records, to determine whether Green Ridge Behavioral Health was fully compliant with the HIPAA Rules. During the investigation, OCR determined that there had been a failure to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) of patients. OCR also determined that appropriate security measures had not been implemented to reduce risks to ePHI, and records of activity in information systems containing ePHI were not being monitored for suspicious activity. Green Ridge Behavioral Health agreed to settle the alleged violations with no admission of wrongdoing.

The CAP requires Green Ridge Behavioral Health to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan to address the risks and vulnerabilities identified during the risk analysis, update its HIPAA policies and procedures, provide training to the workforce, conduct an audit of third-party vendors to ensure business associate agreements are in place, and ensure that HIPAA violations by members of its workforce are reported to OCR.

“Ransomware is growing to be one of the most common cyber-attacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

The first ransomware-related HIPAA settlement was announced by OCR in November 2023.  The HIPAA business associate, Doctors’ Management Services, agreed to a $100,000 settlement with OCR to resolve alleged HIPAA violations that contributed to a ransomware and data breach that affected 206,000 individuals. The settlement with Green Ridge Behavioral Health is the second of 2024. Earlier this month, OCR agreed to settle multiple potential HIPAA violations with Montefiore Medical Center for $4,750,000. With these two penalties, OCR has already exceeded last year’s total of $4,176,500 which was collected from settlements and civil monetary penalties to resolve violations of the HIPAA Rules.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/