The U.S. Department of Health and Human Services (HHS) settled data breach charges alongside the Office for Civil Rights (OCR).

On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017. Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files.

Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyberattack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity and availability of electronic protected health information.

Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information.