HHS Imposes $25K Fine on Neurology Practice Due to Ransomware Incident

In a significant enforcement action, federal regulators imposed a $25,000 fine on Comprehensive Neurology, a specialty practice located in Hollis, New York. This penalty stems from a ransomware attack in 2020 that compromised the personal information of nearly 7,000 individuals.

The U.S. Department of Health and Human Services (HHS) found that Comprehensive Neurology did not adequately perform a risk analysis to identify vulnerabilities concerning its electronic protected health information (ePHI). As part of the settlement, the organization must also implement a corrective action plan to enhance its security measures.

This latest enforcement action marks the twelfth related to ransomware since HHS’s Office for Civil Rights launched its initiative in 2023, and the eighth under its security risk analysis program. This program aims to ensure compliance with HIPAA regulations and improve cybersecurity within the healthcare sector.

According to HHS OCR, the breach led to the malicious encryption of all patient files, involving sensitive information such as names, clinical records, health insurance data, Social Security numbers, and driver’s license numbers. The incident’s scale illustrates the potential impact of ransomware attacks on healthcare entities.

As part of the resolution agreement signed on February 7, Comprehensive Neurology will engage in a comprehensive security risk analysis and establish a risk management plan to address identified vulnerabilities over the following two years. Workforce training on HIPAA protocols will also be mandated to boost compliance and security awareness.

Given the nature of the attack, it is likely that tactics such as initial access and data encryption were utilized, aligning with various adversarial techniques outlined in the MITRE ATT&CK framework. These insights provide an essential understanding of how similar incidents might be executed and underscore the importance of proactive risk management strategies in mitigating such threats.

Comprehensive Neurology has opted not to comment on the imposed settlement at this time, but the case serves as a critical reminder for healthcare providers to prioritize cybersecurity measures and regulatory compliance to protect sensitive patient information effectively.