Ransomware Attack on Delaware Mental Health Provider Could Result in $400,000 in HIPPA Fines

Dr.  Susan Moore 

TEMVI CEO News Contributor 

Published Monday, November 15, 2021 11:33AM ET 

Newark, Delaware—On Tuesday March 12, behavioral health provider, Delaware Guidance Services for Children and Youth, Inc. (“DGS”) was forced to send a letter to parents and guardians of their young patients. The letter explained that DGS had become the victim of a ransomware attack that had locked up the patient records. Those records contained personal information, such as name, address, birth date, social security number, and medical information. 

To secure release of the records, DGS was required to pay a “ransom,” in exchange for a de-encryption “key” that unlocked the records. Because there is a strong possibility that records had been accessed, corrupted or exfiltrated, DGS was forced to undertake the expense of notifying victims and offering them other services and supports in addition to paying the ransom demand. 

The notification letter, signed by their Executive Director, Jill Rogers, MSN, does not say how much DSG paid for the decryption key. As well, DSG did not explain why they opted to pay ransom. “These attacks put us in a no-win situation,” said one unnamed source familiar with the attack. “If we had not paid the ransom, we would have been effectively shut down. So, we paid the hacker but now we have no guarantee the hackers didn’t create a back door on the system and won’t be back again next month.” 

“I understand why an organization would feel the need to pay a ransom but doing so increases the likelihood of more ransomware attacks." says Bruce Hargrave CISSP, an expert with 30 years of providing cybersecurity solutions for Fortune 100 companies and the federal government. "A system security plan that includes proper monitoring, plus audit and system redundancies can eliminate the need to pay,”  

 At this point DGS’s ultimate response will involve completely rebuilding its IT infrastructure. “However,” said the source, “if the attacker was working with an employee or contractor on the inside, using a social engineering attack, they will have access to the new system just as easily as they did the first time.” 

A social engineering attack gains access to the IT system by bribing, tricking or extorting the access credentials from a legitimate system   user. Once the attacker is behind the firewall, he can operate freely without detection. 

Hargrave indicated that without a comprehensive system security plan, mental health providers are typically forced to bear the costs of paying ransom, notification to affected parties, and technical measures to address vulnerabilities. As well, these providers can face regulatory penalties under HIPPA and lawsuits from injured parties.  

The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a willful criminal violation of HIPAA Rules.  It is important to realize that --in these cases--willfulness can be imputed to an individual by courts on the basis of conduct. 

“The biggest loss is the loss of the confidence of our patients and our reputation for maintaining a safe space for kids to share their deepest feelings and concerns.” Said a source familiar with the provider. “If we can’t maintain client confidence, we really can’t exist.”