Is Ransomware Reportable Under HIPAA Requirements?

The Office for Civil Rights (OCR) states that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule,”.  Bad guys having control over your data and blackmailing you to retrieve the decryption keys qualifies as a breach.

If ransomware is found on your system but has not yet been active, this would be an incident.  And you would go through your normal incident response plan.

There are only a few exceptions that might save you from having to report a ransomware event. Can you demonstrate a “low probability that PHI has been compromised, read or ex-filtrated”?  The following might be employed to identify this low probability of exposure.

  • A risk assessment identifies the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; and the risk is deemed low
  • An assessment of risk was conducted on the unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed; If you can prove with high assurance that no information left your network then you might not have to disclose.
  • During the assessment you must measure the extent to which the risk to the PHI has been mitigated.
  • You must determine whether there is a high risk of unavailability of PHI; and
  • Whether there is a high risk to the integrity of the PHI being altered.

F1 protects our clients through a myriad of technical safeguards, however, no technology can replace employee education.  With all of the technical safeguards that multi-billion dollar companies have in place, ransomware is still successful because it only take 1 employee to click on a cleverly disguised e-mail to infect your organization.

If you suspect a breach of patient data or other sensitive information, F1 is here to help advise you on what your next steps should be.

Contact Us

Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here