◆ In what the HHS Office for Civil Rights (OCR) called its “first ransomware agreement,” Doctors’ Management Services (DMS)—a Massachusetts medical management company—agreed to pay $100,000 in a HIPAA settlement, OCR said Oct. 31.^[1] According to the resolution agreement, OCR started investigating DMS, which is a business associate for several covered entities, based on its breach report. “The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with GandCrab ransomware,” the resolution agreement states. “The initial unauthorized access to the network occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018 after ransomware was used to encrypt their files.” OCR concluded that DMS allegedly didn’t do a thorough risk analysis to assess its technical, physical and environmental risks and vulnerabilities associated with handling electronic protected health information (ePHI) and didn’t adopt “reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.” DMS didn’t admit liability in the agreement, which also requires it to implement corrective actions.