HHS Office for Civil Rights Settles Second Ever Ransomware CyberAttack HHSgov
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppOCR settles a ransomware investigation that affected over 14000 individualsppToday the US Department of Health and Human Services HHS Office for Civil Rights OCR announced a settlement under the Health Insurance Portability and Accountability Act of 1996 HIPAA with Green Ridge Behavioral Health LLC a Marylandbased practice that provides psychiatric evaluations medication management and psychotherapy OCR enforces the HIPAA Privacy Security and Breach Notification Rules which sets forth the requirements that HIPAA covered entities most health care providers health plans and health care clearinghouses and their business associates must follow to protect the privacy and security of protected health information The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14000 individuals Ransomware is a type of malware malicious software designed to deny access to a users data usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attackppRansomware is growing to be one of the most common cyberattacks and leaves patients extremely vulnerable said OCR Director Melanie Fontes Rainer These attacks cause distress for patients who will not have access to their medical records therefore they may not be able to make the most accurate decisions concerning their health and wellbeing Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients protected health information is not subjected to cyberattacks such as ransomwareppIn February 2019 Green Ridge Behavioral Health filed a breach report with OCR stating that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients OCRs investigation found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach Other findings included that Green Ridge Behavioral Health failed toppUnder the terms of the settlement Green Ridge Behavioral Health agreed to pay 40000 and implement a corrective action plan that will be monitored by OCR for three years The plan identifies steps that Green Ridge Behavioral Health will take to resolve potential violations of the HIPAA Privacy and Security Rules and to protect electronic protected health information includingppppRansomware and hacking are the primary cyberthreats in health care Over the past five years there has been a 256 increase in large breaches reported to OCR involving hacking and a 264 increase in ransomware In 2023 hacking accounted for 79 of the large breaches reported to OCR The large breaches reported in 2023 affected over 134 million individuals a 141 increase from 2022ppOCR recommends health care providers health plans clearinghouses and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyberthreatsppThe resolution agreement and corrective action plan may be found at httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsgreenridgebehavioralhealthracapindexhtmlppThe HHS Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at httpsocrportalhhsgovocrbreachbreachreportjsfppIf you believe that your or another persons health information privacy or civil rights have been violated you can file a complaint with OCR at httpswwwhhsgovocrcomplaintsindexhtmlppHHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware The fact sheet may be found here httpswwwhhsgovsitesdefaultfilesRansomwareFactSheetpdflanguageesppReceive the latest updates from the Secretary Blogs and News ReleasesppReceive latest updatesppppFor general media inquiries please contact mediahhsgovppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppOCR settles a ransomware investigation that affected over 14000 individualsppToday the US Department of Health and Human Services HHS Office for Civil Rights OCR announced a settlement under the Health Insurance Portability and Accountability Act of 1996 HIPAA with Green Ridge Behavioral Health LLC a Marylandbased practice that provides psychiatric evaluations medication management and psychotherapy OCR enforces the HIPAA Privacy Security and Breach Notification Rules which sets forth the requirements that HIPAA covered entities most health care providers health plans and health care clearinghouses and their business associates must follow to protect the privacy and security of protected health information The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14000 individuals Ransomware is a type of malware malicious software designed to deny access to a users data usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attackppRansomware is growing to be one of the most common cyberattacks and leaves patients extremely vulnerable said OCR Director Melanie Fontes Rainer These attacks cause distress for patients who will not have access to their medical records therefore they may not be able to make the most accurate decisions concerning their health and wellbeing Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients protected health information is not subjected to cyberattacks such as ransomwareppIn February 2019 Green Ridge Behavioral Health filed a breach report with OCR stating that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients OCRs investigation found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach Other findings included that Green Ridge Behavioral Health failed toppUnder the terms of the settlement Green Ridge Behavioral Health agreed to pay 40000 and implement a corrective action plan that will be monitored by OCR for three years The plan identifies steps that Green Ridge Behavioral Health will take to resolve potential violations of the HIPAA Privacy and Security Rules and to protect electronic protected health information includingppppRansomware and hacking are the primary cyberthreats in health care Over the past five years there has been a 256 increase in large breaches reported to OCR involving hacking and a 264 increase in ransomware In 2023 hacking accounted for 79 of the large breaches reported to OCR The large breaches reported in 2023 affected over 134 million individuals a 141 increase from 2022ppOCR recommends health care providers health plans clearinghouses and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyberthreatsppThe resolution agreement and corrective action plan may be found at httpswwwhhsgovhipaaforprofessionalscomplianceenforcementagreementsgreenridgebehavioralhealthracapindexhtmlppThe HHS Breach Portal Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at httpsocrportalhhsgovocrbreachbreachreportjsfppIf you believe that your or another persons health information privacy or civil rights have been violated you can file a complaint with OCR at httpswwwhhsgovocrcomplaintsindexhtmlppHHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware The fact sheet may be found here httpswwwhhsgovsitesdefaultfilesRansomwareFactSheetpdflanguageesppReceive the latest updates from the Secretary Blogs and News ReleasesppReceive latest updatesppppFor general media inquiries please contact mediahhsgovppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p
