In what the HHS Office for Civil Rights (OCR) called its second such settlement stemming from a ransomware attack, a Maryland behavioral health provider agreed to pay $40,000 and implement a three-year corrective action plan (CAP). The agreement between OCR and Green Ridge Behavioral Health LLC of Gaithersburg was the second settlement the agency announced in February, along with a new initiative to focus enforcement efforts on covered entities that lack a risk assessment, as was found in both cases.[1]
However, the Green Ridge settlement appears to have been signed in late October, perhaps before or coinciding with what the agency called its first ransomware settlement, which OCR announced on Oct. 31, with Doctors’ Management Services (DMS), a business associate based in West Bridgewater, Mass. It is not known why OCR did not release the Green Ridge settlement last year.