Privacy & Information Security Law Blog

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

On April 22, 2019, HHS began investigating DMS after receiving a breach notification indicating that DMS’ network server was infected by the Gandcrab ransomware in April 2017. DMS did not detect the attack until after the ransomware was used to encrypt its files in December 2018. As a result, the electronic protected health information (“ePHI”) of approximately 206,695 individuals was affected. HHS alleged that DMS violated the HIPAA Security Rules by failing to (1) perform an accurate and thorough risk analysis of the technical, physical and environmental risks and vulnerabilities related to ePHI; (2) implement adequate procedures to review records of information system activity on a regular basis; and (3) implement policies and procedures to comply with the HIPAA Rules. 

Under the settlement agreement, DMS must pay $100,000 to resolve the action and comply with a three-year corrective action plan, which includes:

• Performing a risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in DMS’ possession;
• Developing a complete inventory of all electronic equipment, data systems, facilities and applications that contain or store ePHI;
• Providing HHS with documentation regarding its existing security measures, including its network segmentation and infrastructure, vulnerability scanning, logging and alerts and patch management;
• Creating and adopting an enterprise-wide risk management plan;
• Revising its HIPAA policies and procedures and submitting the revisions to HHS for approval; and
• Updating DMS’ HIPAA training program, which includes revising its existing training materials, submitting the updated training materials to HHS for approval, providing training to workforce members who have access to PHI in a timely manner and obtaining certification from each employee stating the employee received such HIPAA training.