Green Ridge Behavioral Health, LLC (Green Ridge) in Maryland recently agreed to settle a lawsuit brought against it by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In February 2021, Green Ridge filed a breach report with OCR stating that its network server had been infected with ransomware and that company files and patient electronic health records were encrypted. The ransomware attack allegedly compromised the protected health information of more than 14,000 patients.

An OCR investigation "found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach."

Investigators also determined that Green Ridge failed to analyze the "potential risks and vulnerabilities to electronic protected health information"; implement security measures to reduce them; and sufficiently monitor system activity to protect against a cyberattack.

Green Ridge agreed to pay $40,000 and implement a corrective action plan that includes conducting a comprehensive and thorough analysis of these potential risks and vulnerabilities; creating a Risk Management Plan to address and mitigate them; revising its policies and procedures to comply with HIPAA, as necessary; training staff on HIPAA policies and procedures; auditing third-party arrangements; and reporting HIPAA violations to OCR.

OCR will monitor implementation of the plan for three years.

This is the second settlement reached between OCR and "a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack." "HHS' Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack" www.hhs.gov (Feb. 21, 2024).

Commentary

In the source material, one of the many settlement provisions was Green Ridge creating a "Risk Management Plan" to address data risks.

Organizations of all types can benefit from implementing a cyber risk management plan before there is a breach. This would involve conducting a risk assessment; implementing risk mitigation strategies; and continually monitoring the security of the information system.

A risk assessment may include threat modeling and analyzing vulnerabilities through static code analysis and network, host, and database scanning. Continuously evaluate the effectiveness of security control measures. "CMS Cyber Risk Management Plan (CRMP)" security.cms.gov (Mar. 27, 2023).

Work with your IT team or a skilled third party to conduct a risk assessment and create a cyber risk management plan to help protect your organization from a ransomware attack.