Maryland Clinic Settles HIPAA Violations After Ransomware Attack
In February 2024, Green Ridge Behavioral Health (GRBH), a small behavioral health clinic in Maryland, reached a settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) following a ransomware attack that compromised the protected health information (PHI) of more than 14,000 patients. The clinic agreed to pay $40,000 and implement a comprehensive corrective action plan, highlighting the importance of robust data security practices in behavioral health care.
Background on the Incident
The ransomware attack, reported by GRBH in February 2019, involved the encryption of its network servers and electronic health records. This breach halted operations and exposed sensitive patient data, drawing the attention of federal regulators.
Although GRBH was a relatively small provider, the OCR found that it had failed to meet several core HIPAA compliance requirements. The case reinforces that no healthcare provider is too small to face the consequences of a security breach.
Findings from the Investigation
The OCR identified multiple HIPAA violations during its investigation, including:
- Failure to conduct a risk analysis: GRBH did not adequately assess vulnerabilities to electronic PHI.
- Inadequate risk management: The clinic lacked sufficient safeguards to reduce risks to patient data.
- Insufficient monitoring: GRBH did not have a system in place to routinely review access logs or track security events.
Terms of the Settlement
To resolve the alleged violations, GRBH agreed to a $40,000 payment and a three-year corrective action plan. The plan includes:
- Conducting a thorough and updated risk assessment
- Implementing a risk management strategy to address identified issues
- Updating HIPAA policies and procedures
- Providing workforce training on HIPAA compliance
- Reviewing third-party business associate agreements
- Reporting internal non-compliance to OCR
Why This Matters for ABA Providers
This case serves as a cautionary tale for all healthcare providers, including those in the Applied Behavior Analysis (ABA) field. Behavioral health clinics often handle highly sensitive patient data and are increasingly targeted by cybercriminals. The GRBH case shows that failing to proactively secure data and comply with HIPAA can result in both financial penalties and reputational damage.
ABA providers should take the following steps:
- Conduct regular, documented risk assessments
- Ensure staff are trained on HIPAA compliance and cybersecurity best practices
- Implement and monitor robust data protection measures
- Maintain active review systems for all information systems and access logs
Even small practices must take HIPAA compliance seriously. As this case shows, federal regulators expect all providers—regardless of size—to safeguard patient information with diligence and integrity.
