At the PHI Protection Network conference last week, a lot of time was spent discussing the increasing rate of ransomware attacks. A number of people were asked whether they thought that ransomware attacks that (merely) locked up the data with no evidence of exfiltration had to be reported to HHS. A variety of answers were reported. Here is what Lesley Cothran, a Public Affairs Specialist for the Department of Health and Human Services had to say:
“Under HIPAA, an impermissible use or disclosure of protected health
information is presumed to be a breach (and therefore, notification is
required) unless the entity demonstrates that there is a low probability that
the protected health information has been compromised based on a risk
assessment of at least the following factors:
1. The nature and extent of the protected health information involved,
including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to
whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been
Because it is considered to be a “disclosure” if access has been provided
(without regard to whether or not the information actually was accessed or
viewed), and hackers using ransomware do have access to the data, an
impermissible disclosure has occurred – and notification is presumably
required – unless a “low probability of compromise” has been demonstrated, and
“whether the [PHI] was actually acquired or viewed” is only one of the
So, HHS is making more vague suggestions and statements, no surprise there. That leaves it to covered entities to demonstrate a “low probability of compromise” in a ransomware attack. A lot of factors would have to go into play here. First, a covered entity would have to show no data was removed was producing logs that attest to this fact. Second, they would then have to figure out what happened once the attackers got in, and what information they accessed. Third, they would need to have a full backup of patient data so that they can restore any missing files after removing the malware. Fifth, they would have to demonstrate that no patient data has been corrupted or altered. After all that, a covered entity could potentially argue that it had adequately demonstrated low risk and that notification was not required.
However, HHS may still feel differently, and decide to levy a fine against a covered entity for failing to follow HIPAA and report the attack as a breach. The best course of action is to treat any attack on a system containing PHI as a breach, and report it accordingly.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.