Small Behavioral Health Clinic Settles Ransomware-Attack with OCR

Yes, you read that correctly. Small isn't a reason for non-compliance.

Unfortunately Green Ridge Behavioral Health reported in 2019 that they were hacked and that the ePHI affecting more than 14,000 people was encrypted by criminals. As bad, OCR concluded that Green Ridge failed to:

• Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;

• Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and

• Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Luckily, Green Ridge is only paying OCR $40K. We don't know what the almost-automatic civil lawsuit will cost nor related loss income from lawyer fees, lost business, etc. Green Ridge did agree to a three-year settlement that also included:

• Conducting a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;

• Designing a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;

• Reviewing, and as necessary, developing, or revising its written policies and procedures to comply with the HIPAA Rules;

• Providing workforce training on HIPAA policies and procedures;

• Conducting an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and

• Reporting to OCR when workforce members fail to comply with HIPAA.

We write pretty routinely how criminals are continuing to get their hands on protected health information, and how these acts can cost a covered entity or business associate dearly. The graphic below opens the settlement agreement for your reading.

Stay (HIPAA) safe,

Alan -