Categories
Health Law Highlights

Change Healthcare Ransomware Attack: 10 Lessons Learned

Summary of article from Guidepost Solutions LLC, by Todd Doss:

In February 2024, Change Healthcare fell victim to a ransomware attack due to vulnerabilities in its infrastructure, including outdated software and misconfigured settings. The attackers used sophisticated malware to access the network and breach sensitive data, including patient records, financial data, and administrative details. The incident underscores the importance of robust cybersecurity measures, such as regular data backups, software updates, strong passwords, network segmentation, and continuous employee education. Organizations are also advised to avoid paying ransoms and to stay informed about cybersecurity trends. Lastly, consulting with third-party cybersecurity experts can help assess vulnerabilities and strengthen an organization’s security posture.

Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, by Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

Healthcare Hit Hardest by Ransomware Last Year, FBI IC3 Report Shows

From Health IT Security, by Jill McKeon:

The Federal Bureau of Investigation’s 2023 Internet Crime Report reveals that the healthcare sector experienced the highest number of ransomware attacks among all critical infrastructure sectors last year.

The FBI’s Internet Crime Complaint Center (IC3) recorded an unprecedented 880,418 complaints, marking a 10% increase from the previous year and financial losses exceeding $12.5 billion, a 22% increase. Of the total complaints, 1,193 were from critical infrastructure organizations, with 249 from healthcare and 218 from critical manufacturing.

The report suggests that the high figures from the healthcare sector could be due to its readiness to report such incidents. The FBI has historically struggled to determine the actual number of ransomware victims, as many cases go unreported. The two most prevalent ransomware variants, LockBit and ALPHV/BlackCat, known for targeting healthcare, were responsible for 175 and 100 attacks respectively.

Ransomware was a significant concern across IC3’s complaint database, with over 2,800 complaints related to ransomware, an 18% increase from 2022. Financial losses from these attacks rose by 74% from $34.3 million to $59.6 million. The FBI noted emerging trends, including deploying multiple ransomware variants against the same victim and using data-destruction tactics to increase pressure on victims to negotiate.

Categories
Alert

HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.

Categories
Health Law Highlights

HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack

From Hall Benefits Law, by Anne Tyler Hall:

  • The U.S. Department of Health and Human Services (HHS) reached a settlement with a Massachusetts-based medical management company for alleged violations of HIPAA’s Privacy and Security Rules. The company, a HIPAA business associate, will pay $100,000 and comply with a three-year corrective action plan (CAP).
  • The investigation began in 2019, following the company’s notification to HHS about a Gandcrab ransomware attack that had occurred two years prior. The attack, discovered 18 months after it happened, affected the electronic Protected Health Information (ePHI) of over 206,000 individuals.
  • HHS found that the company violated HIPAA rules by disclosing individuals’ ePHI without authorization and failing to perform a thorough risk analysis, regularly review information system activity, and establish compliant security policies and procedures.
  • The CAP requires the company to revise its HIPAA policies and procedures, addressing issues like security awareness, training, and regular review of information system activities. The company must distribute these revised policies to all workers who use or disclose ePHI, and promptly report any noncompliance to HHS.
  • The CAP also mandates that the company conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system for storing ePHI. The company must document its security measures, adopt a risk management plan, and submit annual reports to HHS throughout the three-year duration of the CAP.