A Massachusetts-based medical management company agreed to pay $100,000 in settling the first ransomware agreement under the Health Insurance Portability and Accountability Act (HIPAA) reached by the Department of Health and Human Services’ Office for Civil Rights (HHS OCR).

Doctors’ Management Service filed a breach report with the HHS in April 2019 regarding a ransomware attack that impacted more than 200,000 individuals, the agency said in a press release Tuesday. The company first detected the breach in December 2018, though it determined the initial access dated back to April 2017.

The details: The HIPAA privacy, security, and breach notification rules set requirements regulated entities must follow to protect the privacy and security of health information.

The OCR found Doctors’ Management Service did not have in place appropriate measures to protect against a cyberattack, including a lack of policies and procedures to implement the requirements of the HIPAA security rule and failure to conduct an accurate and thorough risk analysis assessing the vulnerabilities associated with handling electronic protected health information.

Compliance considerations: As part of the settlement, Doctors’ Management Service agreed to have its compliance with HIPAA monitored by the OCR for three years. The company must implement a corrective action plan requiring it to:

  • Review and update its risk analysis and enterprise-wide risk management plan;
  • Review and potentially revise its written policies and procedures to comply with the privacy and security rules; and
  • Provide workforce training on HIPAA policies and procedures.

Doctors’ Management Service did not respond to a request for comment. The company did not admit liability in reaching settlement.