Frederick Health Recovering from Ransomware Attack – HIPAA Journal

The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance
Posted By Steve Alder on Jan 28, 2025
Frederick Health in Maryland is investigating a ransomware attack, Holdrege Memorial Homes in Nebraska has mailed notification letters to individuals affected by a 2023 data breach, and Square Medical Group in Massachusetts has identified an email breach at an IT vendor.
Frederick Health in Maryland announced on January 27, 2025, that it is currently dealing with a ransomware attack that forced it to take its systems offline. The attack is disrupting patient services due to the lack of access to IT systems, resulting in delays to certain services. Frederick Health has confirmed that all its facilities remain open with care provided using established backup and other downtime processes. Most appointments are continuing as scheduled.
Frederick Health is working with third-party cybersecurity experts to investigate the breach, determine the extent of unauthorized access, and bring its IT systems back online quickly and safely while prioritizing patient care. The primary focus is restoring its IT systems; however, the incident is being investigated to determine if the threat actor accessed or stole patient data. At this early stage of the investigation, it is too early to tell to what extent, if any, patient data has been compromised.
Holdrege Memorial Homes, a Holdrege, NE-based assisted living/skilled nursing facility operator, has notified 1,446 residents and employees about a network security incident that occurred in the fall of 2023. The forensic investigation confirmed that a threat actor had access to its network from October 9, 2023, to November 27, 2023, and during that time, may have accessed or acquired sensitive employee and resident data. The forensic investigation and manual document review were completed on January 6, 2025, 15 months after its network was first breached. Notification letters have now been mailed to the affected individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The information exposed and potentially stolen varied from individual to individual and may have included names in addition to one or more of the following: date of birth, Social Security number, medical treatment, procedure, and/or diagnosis information, medical record number, medical provider information, medical prescription information, Medicaid and/or Medicare number, dates of service, health insurance claim and/or policy information. Holdrege Memorial Homes said the incident has been reported to law enforcement and additional security measures have been implemented to prevent similar incidents in the future.
Square Medical Group, a Massachusetts-based behavioral health and substance use disorder treatment service provider, has announced a data security incident at an IT vendor. Square Medical Group learned on November 22, 2024, that the IT vendor sent an administrative email message to a group of recipients, where the email recipients had their email addresses added to the cc rather than the bcc field. The email contained general information related to invoice delivery.
The error was immediately identified, and a follow-up email was sent to all recipients warning them about the privacy breach, which was attributed to human error. The email error resulted in email recipients having their email addresses exposed to other recipients of the message.  The IT vendor was instructed to counsel the employee responsible and provide further training for all staff members to prevent similar incidents in the future. The email breach was reported to the HHS’ Office for Civil Rights as affecting 2,363 individuals.
Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. The HIPAA Journal’s goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Subscribe To Weekly
News Digest
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice
Unsubscribe Anytime
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Click here to subscribe to free weekly newsletter
The HIPAA Journal is a registered trademark. Copyright © 2014-2025 The HIPAA Journal. All rights reserved.
The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it. Refresher training only has to be provided to those the change affects; but, if the training relates to a change in HIPAA policies and procedures, the training must be documented and – where required by state law – attested to by those who attend. In addition, it is a best practice to provide annual refresher training to all members of the workforce so that those not directly affected by material changes to policies and procedures are made aware of them.
It is important that all members of the workforce receive ongoing security awareness training for two reasons. The first reason – that training is provided to all members of the workforce – is because an attacker can infiltrate a network via a device that does not have access to electronic PHI, and then move laterally through the network until they find a healthcare database to attack. The second reason – that training must be ongoing – is due to the evolving nature of cyberthreats. Members of the workforce must be informed about the latest threats, how to recognize them, and how to report them.
HIPAA Authorization Forms have to comply with §164.508 in order to be valid. If a HIPAA Authorization Form lacks the core elements or required statements, if it is difficult for the individual to understand, or if it is completed incorrectly, the authorization will be invalid and any subsequent use or disclosure of PHI made on the reliance of the authorization will be impermissible. For this reason, members of the workforce responsible for obtaining valid authorizations must be trained on the implementation specifications of this standard. HIPAA Authorization Forms must be stored for a minimum of 6 years.
The requirement to have a security management process is the first standard in the HIPAA Security Rule’s Administrative Safeguards. The process must consist of at least a risk analysis, an actioned remediation plan, a sanctions policy, and procedures to regularly review information system activity. All analyses, remediation plans, sanctions, and reviews must be documented. Documentation must be stored for at least 6 years, either physically on paper on via HIPAA compliance software.
There are many examples of when it may be necessary to retrieve documentation within a specific timeframe to comply with HIPAA. The most common is when an individual requests access to their PHI maintained in a designated record set. Less common examples include when an individual wishes to revoke an authorization or when HHS’ Office for Civil Rights requests documentation to resolve a HIPAA complaint. In most cases, the documentation has to be provided within 30 days.
It is necessary to monitor business associate compliance because a covered entity can be held liable for a violation of HIPAA by a business associate if the covered entity “knew, or by exercising reasonable diligence, should have known” of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligations under the HIPAA Business Associate Agreement.
It is important to identify partners and vendors that qualify as business associates because when a service is provided for or on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of PHI, a HIPAA Business Associate Agreement has to be entered into which stipulates the permitted uses and disclosures of PHI by the business associate, both parties’ compliance obligations, and other terms that may apply.
The application of sanctions is important to ensure members of the workforce do not take compliance shortcuts “to get the job done”, and the shortcuts deteriorate into a culture of non-compliance. The sanctions applied should be relevant to the nature of the violation. For example, a verbal warning and/or refresher training may be appropriate for a minor violation, while repeated or more serious violations should attract harsher sanctions. The application of sanctions must be documented and records stored for at least 6 years, either physically in paper records or with HIPAA compliance software.
A HIPAA Notice of Privacy Practices advises patients and plan members of their privacy rights, how the organization can use or disclose PHI, and how an individual can complain if they believe their privacy rights have been violated or their PHI has been used or disclosed impermissibly. Notices must be reviewed and amended as necessary whenever a material change affects either an individual’s rights or how PHI can be used or disclosed. They must then be re-distributed and/or re-displayed in accordance with §164.520.
Members of the workforce must know how to respond to patient access and accounting requests – even if it is to direct the request to the HIPAA Privacy Officer – because the primary reason for complaints to HHS’ Office for Civil Rights in recent years has been the failure to respond in the time allowed with the information requested. At present, the majority of HIPAA enforcement activities focus on non-compliance with the patients’ rights standards of the HIPAA Privacy Rule.
The documentation and record keeping of every HIPAA training session is important for two reasons – so that covered entities can keep up to date with which members of the workforce have received what training in the event of transfers or promotions, and so that covered entities can demonstrate the training has been provided in the event of an OCR compliance investigation. Workforce attestation is also required by some state laws with more stringent privacy protections than HIPAA.
The healthcare sector and healthcare records in particular is often targeted by hackers due to the billing details contained in medical records and ransomware value of the personal information in Protected Health Information. Email is one of the most common attack vectors. It is important healthcare staff know how to identify malicious software and phishing emails because the detection capabilities of security software are often limited to how the software is configured and how frequently it is updated. Even the best security software can allow threats to evade detection and, when this happens, users need to be able to identify the threat and report it so other users do not (for example) open a malicious attachment or interact with a phishing email.
The Administrative Requirements of the Privacy Rule (§164.530) requires covered entities to train all members of their workforces on the policies and procedures developed to comply with the Privacy and Breach Notification Rules. Naturally, the sooner training is provided, the less chance there is of an inadvertent impermissible disclosure due to a lack of knowledge. It is important to note that training must be provided even if a new member of the workforce has held a similar role in a previous position and that some states have mandatory time frames within which training must be provided (for example, in Texas, training must be provided within 90 days).
It is necessary to prove the breach notification requirements are complied with to ensure covered entities and business associates do not overlook notifying individuals in the required timeframe when submitting an annual breach report to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals. Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves from such events. The burden of proof standard mitigates the likelihood of individuals being overlooked.
While many types of impermissible uses and disclosures, data thefts, and unauthorized access events are clearly notifiable breaches, there are also many types that are not. If it can be determined that an impermissible use or disclosure does not qualify as a notifiable breach by using the exclusion criteria in §164.402, it will not be necessary to comply with the breach notification requirements – saving organizations time and money, and a potential compliance review by HHS’ Office for Civil Rights.
Although it is not a requirement of HIPAA to provide an anonymous reporting channel, members of the workforce should be encouraged to speak out when they believe a violation of HIPAA has occurred in order that the incident can be investigated and corrected if necessary. It is felt (although cannot not proven) that anonymous reporting channels generate more reports because members of the workforce feel protected against retaliation. However, if an anonymous reporting channel is provided, it needs to be used in compliance with HIPAA, and any PHI contained within the anonymous report has to be safeguarded against unauthorized access, loss, and theft.
It is important to execute HIPAA-compliant Agreements with business associates because if an Agreement does not comply with the relevant standards it is invalid. If an Agreement is invalid, covered entities are not permitted to disclose PHI to the business associate, and any disclosure of this nature would represent a violation of HIPAA.
It is important for organizations to monitor changes to transaction code systems for two reasons. The first is that using out-of-date transaction codes can result in delays to (for example) authorizations and payments. The second reason is that organizations who persistently use out-of-date transaction codes can be reported to CMS – which has the authority to enforce Part 162 of HIPAA via corrective action plans and financial penalties.
The National Provider Identifier identifies your organization or subparts of your organization in Part 162 transactions. It is important that NPIs are used correctly in (for example) eligibility checks and authorization requests to prevent delays in responses to requests for treatment. It is also important that NPIs are used correctly in claims and billing transactions to make sure payments are received on time.
Automatic logoff capabilities are important to prevent unauthorized users from accessing ePHI when a device is unattended. Additionally, if a device is lost or stolen, the device cannot be used to access ePHI without the login credentials being known and used.
It is important that login credentials and passwords are not shared for systems that contain ePHI because, if multiple users are using the same access credentials, it will be impossible to determine when specific users access ePHI. As well as eliminating the usefulness of audit logs and access reports, if a system has been configured to reject multiple logins using the same credentials, it could result in users being blocked from accessing ePHI when necessary, or the system being corrupted.
The requirements to implement and test a data backup plan, an emergency mode operations plan, and a disaster recovery plan fall within the contingency plan standard of the Security Rule (§164.308). These requirements are designed to ensure the integrity and availability of ePHI in the event of a natural or manmade disaster.
Information access policies should make sure that the right people have access to the right level of ePHI at the right time. This means the policies have to be sufficiently flexible to support changing roles, promotions, and time off due to (for example) a suspension or maternity leave. The policies should also include procedures for terminating access to ePHI when a member of the workforce leaves so the departing individual cannot access the organization’s ePHI remotely.
The reason it is necessary to have procedures in place to respond to patients exercising their HIPAA rights is that some rights are susceptible to exploitation. For example, procedures should be in place to verify the identity of patients, review confidentiality requests, and determine if a request is being made to support an abusive, deceptive, or harmful activity.
The minimum necessary standard (§164.502(b) and §164.512(d)) requires that only the minimum necessary information is used or disclosed to achieve the purpose of the use or disclosure. This is to better protect the privacy of individually identifiable health information. However, the standard does not apply in every circumstance, and covered entities that apply the standard too rigidly could encounter communication challenges or, in some cases, be in violation of other HIPAA regulations.
Although covered entities and business associates have many similar HIPAA compliance obligations, some regulations apply differently to each type of organization depending on the nature of their activities. If you qualify as a covered entity, and you also provide services to other covered entities as a business associate, it will be necessary for you to complete the assessment twice.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Prevent Common HIPAA
Email Violations
The OCR receives 60,000+ data breach notifications annually. Many involve easily preventable email-related disclosures of Protected Health Information.
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.