The U.S. Department of Health and Human Services (HHS) has recently finalized its second-ever settlement in connection to a ransomware attack. Green Ridge Behavioral Health, a mental healthcare provider based in Maryland, will pay a $40,000 fine and adopt a corrective action plan after a 2019 ransomware incident exposed the protected health information of over 14,000 individuals. The HHS Office for Civil Rights identified potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and deficiencies in cybersecurity protocols.
This settlement is indicative of the escalating threat posed by ransomware to healthcare organizations. Recent years have seen a significant surge in data breaches within the healthcare sector, with ransomware and hacking emerging as the predominant cyber threats, as noted by the HHS. The agency reported a staggering 264% increase in large breaches linked to ransomware, causing disruptions in provider operations by denying access to crucial electronic health records and connected devices. A 2021 survey from the Ponemon Institute revealed that approximately one in four healthcare providers experienced a rise in mortality rates following a ransomware attack.
In response to this growing menace, the HHS has released voluntary cybersecurity goals for healthcare and public health entities, with plans to propose enforceable standards in the future. The agency emphasizes the urgency for healthcare providers to establish robust practices to safeguard patients’ protected health information from cyber threats like ransomware. This incident with Green Ridge Behavioral Health underscores the HHS commitment to enforcing cybersecurity standards, as it monitors the provider for three years in addition to the imposed fine and corrective action plan.
