Dive Brief:

• The HHS has reached its second-ever settlement related to a ransomware attack, which exposed the protected health information of more than 14,000 people, the agency announced Wednesday. 
• Maryland-based Green Ridge Behavioral Health agreed to pay $40,000 and implement a corrective action plan after an investigation found potential violations of the HIPAA rule and lax protections after an attack reported in early 2019, according to the HHS’ Office for Civil Rights.
• The settlement comes as ransomware has become a growing and critical threat to healthcare organizations, and regulators have signaled interest in enforcing cybersecurity standards. 

Dive Insight: 

Data breaches in the healthcare sector have spiked in recent years, with ransomware and hacking posing the “primary” cyber threats to the industry, according to the HHS. 

The agency tracked a 264% increase in large breaches reported to the OCR involving ransomware, a type of malware that denies users access to their data until a ransom is paid.

The attacks can hamper provider operations, denying access to electronic health records or other connected devices and force them to delay patient care or send patients to other facilities.

About one in four providers reported mortality rates rose following a ransomware attack, according to a 2021 survey from the Ponemon Institute.

“Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware,” OCR Director Melanie Fontes Rainer said in a statement.

The HHS recently released voluntary goals for healthcare and public health organizations to boost their cyber protections, noting the agency plans to eventually propose enforceable standards. Late last year, it outlined a strategy that included hospital requirements through Medicaid and Medicare and an update to the HIPAA rule. 

The regulator has also announced several settlements with healthcare organizations related to cybersecurity. The HHS reached its first ransomware settlement in November with Massachusetts-based medical management company Doctors’ Management Services. 

In the settlement latest with Green Ridge, the agency said its investigation found the mental healthcare provider failed to determine the risks to protected health information, implement security measures to reduce vulnerabilities and sufficiently monitor its IT systems to protect against attack.

The provider will be monitored by the OCR for three years in addition to the fine and corrective action plan, according to the agency. Green Ridge could not be reached for comment.