Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack

A Massachusetts-based medical management company has agreed to a $100,000 settlement with the U.S. Department of Health and Human Services following a 2017 ransomware attack.

The company, Doctors’ Management Services — which provides medical billing and payer credentialing services — was attacked by the now-defunct GandCrab ransomware gang in April 2017, but the intrusion was not detected until late December the following year, after the group encrypted their files.

The company filed a breach report with HHS four months later, warning that 206,695 people had information accessed by the hackers.

HHS’ Office for Civil Rights (OCR) began an investigation that month and eventually found evidence that the company failed to “determine the potential risks and vulnerabilities to electronic protected health information across the organization” and violated Health Insurance Portability and Accountability Act (HIPAA) laws.

Investigators also found “insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.”

“Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system. This leaves hospitals and their patients vulnerable to data and security breaches,” said HHS’ OCR Director Melanie Fontes Rainer.

“In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

OCR noted that this is the first settlement the office has reached with an organization affected by ransomware. In addition to the $100,000 fine, OCR said it plans to monitor the company for three years to make sure it complies with the cybersecurity rules of HIPAA.

The company agreed to implement a “corrective plan” to better protect customer health information that includes updating risk management plans, identifying vulnerabilities, revising internal policies and providing workforce training on HIPAA policies.

OCR also provided more general recommendations to all healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA, urging each to conduct security audits, ensure vendor contracts have language about data breach obligations, and more.

OCR noted that ransomware has become one of the primary cyberthreats to healthcare, explaining that its data shows a 239% increase in large breaches reported to OCR and a 278% increase in ransomware over the last four years.

Incidents involving hacking now account for 77% of all breaches reported to OCR, they said, and in 2023 alone more than 88 million people have been affected by large breaches. That figure is a 60% increase compared to last year.

Federal and state-level regulators have increasingly used fines and lawsuits as a way to force companies to respect their obligations to protect customer and employee data.

In September, New York Attorney General Letitia James used a settlement to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.

James and other attorneys general have joined forces to fine companies like software company Blackbaud, clothing giant Shein, Carnival Cruises, the grocery chain Wegmans, and more.

GandCrab ransomware

Throughout 2021, Europol and South Korean authorities announced arrests of a handful of people working for the REvil (Sodinokibi) and GandCrab ransomware-as-a-service (RaaS) operations, which experts believe were operated by the same people.

The operations helped carry out more than 7,000 attacks from early 2019 to 2021.

First advertised in January 2018, the GandCrab RaaS was initially a run-of-the-mill group who rented code to cybercrime groups who used spam emails laced with malicious file attachments to infect users.

The group shifted its targeting at the start of 2019, when they began working with a small group of affiliates to target managed service providers in attacks aimed at corporate organizations, hoping to shift from the small ransom demands they could extract from small home users to the larger ransoms they could demand from companies whose networks they crippled.

As this new method of attack started yielding greater profits, the group shut down their GandCrab operation in May 2019 and cybersecurity experts at Bitdefender eventually released free decrypters for the GandCrab ransomware in 2021.