Green Ridge Behavioral Health in Gaithersburg, Maryland, has agreed to a settlement with the federal Health and Human Services Department's Office for Civil Rights concerning a ransomware attack.
According to a news release issued Wednesday, the $40,000 settlement is only the second time OCR has reached an agreement with a Health Insurance Portability and Accountability Act-regulated entity for potential violations identified during an investigation following such a breach.
Read more: Why healthcare is a ‘one-stop shop’ for hackers
The settlement resolves a probe into a February 2019 ransomware attack on the behavioral health practice that affected the protected health information of more than 14,000 individuals.
HHS said OCR’s investigation “found evidence of potential violations” related to sufficient monitoring of health information systems and possessing an accurate and thorough analysis to determine potential risks. The department also said its probe found Green Ridge Behavioral Health failed to “implement security measures to reduce risks and vulnerabilities to electronic protected health information.”
The organization did not respond to a request for comment on the settlement.
The agreement comes at a time when healthcare data breaches have reached new highs. In 2023, almost 133 million individuals had information stolen or exposed in breaches. Healthcare data breaches have been the most expensive of any industry for 13 consecutive years, according to a recent report.
In September 2023, HHS agreed to a $1.3 million settlement with L.A. Care Health Plan for a similar breach.