Doctors’ Management Services to Pay OCR $100,000 to Settle HIPAA Probe
The HHS’ Office for Civil Rights (OCR) has agreed to accept $100,000 from Doctors’ Management Services to settle a ransomware attack and data breach investigation that exposed multiple HIPAA Security Rule potential violations.
Medical management company, Doctors’ Management Services (DMS) based in Massachusetts provides services such as payor credentialing and medical billing. On December 24, 2018, DMS discovered a GandCrab ransomware attack that resulted in the encryption of files found on its system. The forensic investigation revealed that the attackers first acquired network access on April 1, 2017.
As per DMS, the threat actor acquired access to its system through Remote Desktop Protocol (RDP) on one of its workstations and possibly acquired names, addresses, birth dates, driver’s license numbers, Social Security numbers, insurance details, Medicaid/Medicare ID numbers, and diagnostic data. The breach report was submitted to OCR on April 22, 2019 indicating that up to 206,695 persons were affected.
OCR started a breach investigation to find out if DMS was HIPAA compliant and discovered multiple potential HIPAA violations. Besides the impermissible disclosure of the protected health information (PHI) of 206,695 persons, OCR established that DMS did not perform an accurate and detailed risk analysis to evaluate physical, technical, and environmental problems and vulnerabilities related to the management of ePHI.
DMS was likewise discovered to have not implemented measures to consistently analyze records of data system activity, for example, access reports, audit logs, and security incident monitoring reports. OCR additionally confirmed that DMS did not employ reasonable and appropriate guidelines and procedures to adhere to the standards, implementation requirements, or other Security Rule requirements.
DMS consented to resolve the investigation without admitting liability. As per the settlement conditions, DMS has decided to pay $100,000 as a financial penalty and carry out a corrective action plan (CAP) to take care of the possible HIPAA violations discovered by OCR. The CAP consists of requirements to conduct risk analysis, update its risk management plan, HIPAA Privacy and Security Rule guidelines and procedures, and provide employee HIPAA training. OCR’s settlement announcement also suggested some cybersecurity measures that all HIPAA-covered entities ought to use to avoid and mitigate cyber threats.
OCR stated this HIPAA settlement agreement is the first among the ransomware attack cases. Considering the number of ransomware attacks in the last five years, which have gone up by 278% since 2018, it is probable to be the first of many settlement agreements.
Wright & Filippis Offers $2.9 Million to Settle Class Action Data Breach
Wright & Filippis, an orthopedics, prosthetics, and accessibility solutions provider based in Michigan, has offered to pay $2.9 million as a settlement for allegedly being unable to protect the personal data of 877,584 persons.
In January 2022, Wright & Filippis suffered a ransomware attack. Its security program identified the attack yet could not stop file encryption. According to the forensic investigation, the attackers acquired access to portions of its system that contain the PHI of over 877,500 persons, such as names, birth dates, Social Security numbers, medical insurance data, and financial account numbers.
Wright & Filippis found out on or about May 2, 2023, that PHI was compromised, and distributed notification letters to the impacted persons. Right after the notification, there were 8 putative class action lawsuits filed against Wright & Filippis. Later the lawsuits were consolidated into just one lawsuit. The U.S. District Court for the Eastern District of Michigan, Southern Division conducted a hearing on the In Re Wright & Filippis, LLC Data Security Breach Litigation.
The plaintiffs claimed that Wright & Filippis failed to use appropriate security procedures to secure patients’ sensitive information and unnecessarily delayed sending breach notification letters. Wright & Filippis dismissed the accusations. The plaintiffs claimed they had sustained an injury due to Wright & Filippis’s negligent behavior, which included theft of their data, identity theft, impending injury from fraudulence, damages from late notifications, out-of-pocket costs, lost time mitigating the consequences of the security breach, and more expenses associated with lowered credit scores, as well as higher fees for credit and insurance.
The defendant’s lawyer wanted to have the lawsuit dismissed. After the response of the plaintiffs, both sides consented to negotiate the case to check if an early settlement could be achieved. A $2.9 million settlement was agreed upon to pay for administrative costs, notice, service awards, and costs and fees. As per the conditions of the settlement, class members could apply for a claim of as much as $5,000 to pay for documented deficits and a claim for credit-tracking services. Additionally, class members may opt to get a cash payment. The cash will be from what is remaining of the settlement money after paying class benefits, attorneys’ fees and costs, settlement administration fees, and service awards. Lead plaintiffs are going to get a $1,500 service award.
The settlement is waiting for the court’s initial approval and a date for the final fairness hearing. The lawyers of the plaintiffs were from Migliaccio & Rathod LLP, the Miller Law Firm, Milberg Coleman Bryson Phillips Grossman PLLC, Adam Taub Assoc. Consumer Law Group, Shub & Johns LLC, Sommers Schwartz, PC, Mason LLP, Lynch Carpenter LLP, Aronowitz Law Firm PLLC, Zimmerman Reed LLP, Wilshire Law Firm PLC, and The Johnson Firm.