Ransomware Attack Might Be Reportable PHI Breach, HHS Says



Covered entities and business associates attacked by ransomware may need to report the breach to the federal government, according to an HHS fact sheet.

Ransomware is a type of malicious software that makes a user’s data inaccessible by encrypting it with a key known only by the hacker, until a ransom is paid.

A recent increase in ransomware attacks on hospitals has caused the Department of Health and Human Services to release guidance on ransomware and HIPAA. Published July 11, the guidance clarifies federal privacy regulations that have been in effect since 2013.

The fact sheet says that any time electronic protected health information (PHI) is encrypted as the result of a ransomware attack, a breach has occurred.

In cases where e-PHI that was already encrypted to comply with HIPAA is encrypted with ransomware, it is not considered unsecured PHI and therefore a risk assessment and breach notification is not required.

Covered entities or business associates who suspect a breach has occurred must first conduct a four-factor risk assessment to determine the probability that PHI has been compromised. The risk assessment should include:

  • the nature and extent of the PHI involved, including the types of identifiers and the likelihood  of re -identification;
  • the unauthorized person who used the PHI or to whom the disclosure was  made;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.

If a breach has occurred, the entity is required to comply with breach notification provisions.  For breaches affecting over 500 individuals, this includes notifying customers, the HHS and media outlets. 

The fact sheet also recommends entities infected with ransomware contact their local Federal Bureau of Investigation or Secret Service field office. 

The Fact Sheet emphasizes that maintaining compliance with the HIPAA Security Rule can help covered entities and business associates prevent malware infections and recover from security incidents.  

For example, the Security Rule requires covered entities and business associates to maintain an overall contingency plan and security incident procedures. According to the fact sheet, a strong security incident procedure should include processes to:  

  • detect and conduct an initial analysis of the ransomware;
  • contain the impact and propagation of the ransomware;
  • eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted  the ransomware attack and propagation;
  • recover from the ransomware attack by restoring data lost during the attack and returning to  “business as usual” operations; and
  • conduct post-incident activities, such as a deeper analysis of the evidence to any incident-related regulatory, contractual or other obligations and  incorporating lessons learned into the entity’s overall security management process.

Design benefit plans and respond quickly and confidently to a range of potential issues with a free trial to the Benefits Practice Resource Center.