Share this article on:
As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents.
OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”
A ransomware attack qualifies as a HIPAA breach because the actions of the attackers have resulted in the acquisition of PHI, in the sense that unauthorized individuals have taken control of the data.
The only time that a breach report – and notifications to patients – would not be required would be if the covered entity can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered entities can make that determination after a risk assessment has been performed, basing the decision on the nature of PHI involved, who used the PHI or to whom PHI was disclosed, whether PHI was actually viewed or acquired and the extent to which risk has been mitigated.
However, what about the recent NotPetya ransomware attacks? Many organizations were attacked, including some healthcare organizations in the United States that are HIPAA covered entities. One of those organizations is Nuance Communications, a business associate of several healthcare providers.
Nuance Communications has previously announced it had been attacked with NotPetya, and severely. More than three weeks after the attack, only 75% of its clients had regained access to its systems. The disruption to business services has been considerable.
Since Nuance Communications holds PHI, the incident would appear to require a breach notice to be submitted to OCR and for affected individuals to be notified. However, the decision was taken not to report the incident or to send notification letters.
Interestingly, rather than simply not sending notices, Nuance Communications has published a notice that states it will not be sending notifications. In that notice, Nuance Communications explains the rationale behind the decision.
A ransomware incident may usually be a HIPAA breach, although Nuance Communications has explained that NotPetya was not ransomware. In the letter, Nuance said the malware “was not designed to give its perpetrators any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems.”
Nuance also pointed out that the malware had not been developed to provide access to data on affected systems and neither was it developed to copy any information nor target the types of PHI that Nuance holds.
Nuance said, “Accordingly, based on facts presently known, while Nuance has determined that the incident constitutes a security incident for purposes of the HIPAA Security Rule, Nuance also has determined the incident does not constitute a breach of unsecured PHI for purposes of the Breach Notification Rule.”
Nuance explained that the notice and explanation were provided as a courtesy and to explain to its healthcare customers that a security incident had occurred, fulfilling its obligations under the business associate agreements the firm had signed. However, OCR will not be notified and individuals will not receive breach notification letters in the mail.