The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a fine against Green Ridge Behavioral Health for failing to prevent a ransomware attack that compromised the personal information of its patients. This marks only the second time that OCR has taken enforcement action in response to a ransomware cyberattack that compromised health information protected by the Health Insurance Portability and Accountability Act (HIPAA).
Green Ridge Behavioral Health, a Maryland-based mental health service provider, fell victim in 2019 to a ransomware attack that exposed the sensitive data of over 14,000 patients. OCR’s investigation revealed that Green Ridge had not conducted the risk analysis required by HIPAA rules, nor had it implemented security measures sufficient to guard against such cyberattacks. This oversight not only breached HIPAA regulations but also left patient information exposed to cybercriminals.
The enforcement action includes a penalty of $40,000 and mandates that Green Ridge Behavioral Health develop a comprehensive corrective action plan. This plan requires the healthcare provider to conduct a thorough risk analysis and establish risk management policies, ensuring that safeguards are in place to protect patient data against future cyber threats. Additionally, OCR will closely monitor Green Ridge’s compliance efforts over the next three years.
The penalty and follow-up actions highlight the seriousness with which the HHS is addressing the growing threat from cybercriminals in the healthcare industry. HHS says that over the past five years, there has been a 256% increase in breaches involving hacking and a 264% increase in ransomware attacks against healthcare providers, which affected the HIPAA data of 134 million people in 2023 alone.
“Ransomware is growing to be one of the most common cyberattacks and leaves patients extremely vulnerable,” said OCR Director Melanie Fontes Rainer. “These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being. Healthcare providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyberattacks such as ransomware.”
The Green Ridge enforcement action by HHS sends a clear message to healthcare providers about the critical importance of HIPAA compliance and the need for proactive cybersecurity measures. Cybercriminals have greatly increased their targeting of the healthcare sector, with ransomware attacks posing the biggest threat to patient privacy and the integrity of healthcare services. The Green Ridge case underscores the necessity for healthcare providers to continually assess and enhance their cybersecurity protocols to prevent the compromising of their patients’ information.
To mitigate the growing cyber threat and to remain compliant with the HIPAA law, OCR recommends, among other actions, the following:
- Ensuring that risk analysis and risk management are conducted regularly, especially when new technologies and business operations are planned.
- Implementing regular review of information system activity.
- Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
- Encrypting protected health information to guard against unauthorized access.
- Providing workforce training on HIPAA responsibilities and reinforcing workforce members’ critical role in protecting patient privacy and security.