The U.S. Department of Health and Human Services (HHS) entered into a settlement agreement on October 31, 2023 with a Massachusetts-based medical management company. The medical management company was a business associate of its clients, providing credentialing and medical billing. The incident resulted from a ransomware attack. This settlement marks HHS's first agreement involving a ransomware attack, emphasizing the growing importance of cybersecurity.
Key Points of the Settlement:
Ransomware Attack Overview:
The HHS investigation began in April 2019, triggered by a breach notification from the BA. The network server had fallen victim to a Gandcrab ransomware attack in April 2017, leading to unauthorized access to electronic protected health information of over 206,000 individuals.
Security Rule Violations:
HHS's investigation found that the business associate violated the HIPAA Security rule as it did not have
Corrective Action Plan Highlights:
Practical Impact and Cybersecurity Awareness:
HHS's emphasis on ransomware as a significant threat underscores the need for robust cybersecurity measures. HR professionals must prioritize risk analysis, security measures adoption, and comprehensive employee training to enhance HIPAA compliance.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).