HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer.

The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses.

Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years.

Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of 2016, $209 million was extorted from U.S companies. The total for 2015 was only $25 million.

Please see the HIPAA Journal Privacy Policy

Senator Hertzberg hopes to introduce new penalties specifically for these ransomware attacks. Individuals conducting attacks could be fined up to $10,000 and be sentenced to 2, 3, or 4 years in jail, although prosecuting attorneys could also pursue additional charges under existing state laws. Additional punitive charges may also be incurred depending on the degree of financial harm caused to the organization in question.

The new bill would make it an offense to knowingly introduce ransomware, by directly placing a lock on files or a computer system, or instructing another individual to do so.

The new bill uses the following definition of ransomware:




The new Bill may introduce new penalties for the perpetrators of these attacks, although it is unlikely to serve as much of a deterrent. Many ransomware attacks are conducted by foreign nationals based outside the United States and not only is it difficult to identify attackers, if they can be located extraditing them to face charges in the United States is a complicated process.

Hertzberg did state in his testimony that the current laws do cover ransomware infections, but the rise in ransomware attacks warranted an amendment to the penal code.

Senate Bill 1137 can be viewed on this link.

CIO Tells of Aftermath of Hollywood Presbyterian Medical Center Ransomware Attack


Hollywood Presbyterian Medical Center (HPMC) CIO Steve Giles gave a testimony at the Public Safety Committee hearing and provided further information on the HPMC ransomware attack in February. The attack was one of a number experienced by healthcare organizations and businesses in the past two months, although other healthcare organizations claimed they did not give in to the attackers’ demands. HPMC was given little choice but to pay the 40 Bitcoin – $17,000 – ransom to obtain security keys to unlock the ransomware-encrypted files.

Giles explained that on February 5, 2016., the medical center had all of its systems shut down by ransomware. He said, “Every system within the medical center became inaccessible. This created panic to some degree within the nursing and physicians staff.” The medical center later received two ransom demands totaling 40 Bitcoin, which was accompanied by a threat that payment had to be made within 5 days or the files and systems would be permanently locked.

Not having a Bitcoin account, staff at the hospital had to withdraw money and transfer the funds into the untraceable Bitcoin currency. After the payment was made the attackers made good on their promise and supplied the security keys to unlock the encryption. HPMC was sent 900 separate encryption keys – a single key for each device that had been encrypted. The process of removing the infection took some time to complete, with staff required to unlock each server and device individually.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.