OCR completes its second ransomware investigation, likely not the last

Following an investigation into the breach of the protected health information of 14,000 individuals, U.S. Health and Human Services and the Office of Civil Rights announced a $40,000 settlement with Green Ridge Behavioral Health, which provides psychiatric evaluations, medication management and psychotherapy.


The Maryland-based practice reported in February 2019 that its network server was infected with ransomware, resulting in the encryption of company files and the electronic medical records of all patients, according to an OCR announcement on February 21.

According to the agency, post-ransomware investigations also revealed that the behavioral health practice failed to accurately and thoroughly analyze the potential risks and vulnerabilities to electronic protected health information it held, implement security measures to reduce those vulnerabilities, and adequately protect health information systems monitors. activity to protect ePHI from a cyber attack.

Ransomware leaves patients exposed, OCR director Melanie Fontes Rainer emphasized in a statement about the settlement.

“These attacks cause problems for patients who do not have access to their medical records, which may prevent them from making the most accurate decisions about their health and well-being,” she said.

Under OCR’s terms, Green Ridge Behavioral Health agreed to pay $40,000 and implement a corrective action plan that will be monitored for three years, the agency said.

Earlier in November, OCR settled its first ransomware breach investigation with Doctors’ Management Services, a third-party medical billing and payment data service, over the theft of 206,695 individuals’ protected data using the GandCrab ransomware.


With a 256% increase in major breaches involving hacking reported to OCR and a 264% increase in ransomware over the past five years, the agency has been able to track the impact cyber attacks have on breached patient data.

In 2023, the largest reported breaches affected more than 134 million people, a 141% increase from 2022, the agency said. However, hacking was responsible for 79% of major breaches reported to OCR.

Phishing, vishing, smishing and quishing are tactics hackers use to victimize healthcare organizations.

By recognizing hackers’ motivations and understanding where they can attack, Chief Information Officers can learn how to protect against social engineering attacks.

Healthcare providers need to understand the specifics of their own organizations’ security capabilities to know why they are more likely to be targeted, and how the patient data they hold could inspire the motivations of hackers, as Kathleen Ann Mullin, CISO at MyCareGorithm, told us in 2021.

“Do they have a strong and mature information security program?” she asked. “Is the organization a market leader? Do they have a large market share? What country or region are they in? Are their leaders active in the media? Or on social media?

“Do they have famous, wealthy, or other notable patients? Do they have research facilities? Do they teach or train? Have they had breaches in the past? Does their organization or (their) employees post or share information about their systems or infrastructure? Are there dissatisfied current or former employees? Are the suppliers who supply or support their systems known?”


“Healthcare providers must understand the severity of these attacks and must have practices in place to ensure that patients’ protected health information is not exposed to cyberattacks such as ransomware,” OCR’s Fontes Rainer said in announcing the new ransomware settlement.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.