OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance on ransomware.

A fact sheet on healthcare ransomware attacks has been published along with a 12-page document providing technical guidance for CIOs and CISOs on best practices to adopt to prevent ransomware infections, mitigation strategies to adopt when ransomware is installed on computers or healthcare networks, and detailed information on the correct ransomware response.

The new guidance is essential reading for CISOs, CIOs, and all members of the senior leadership team.

Ransomware and HIPAA

The OCR has confirmed the proactive measures that covered entities should take to prevent ransomware infections:

  • Perform a comprehensive, organization-wide risk analysis
  • Establish a plan to remediate any identified risks to the confidentiality, integrity, or availability of ePHI
  • Implement policies and procedures to safeguard ePHI against malicious software – including malware and ransomware
  • Provide staff members with training on cybersecurity best practices
  • Train authorized users to detect malicious software and how and to whom ransomware and malware infections should be reported
  • Perform regular data backups and test those backups to ensure data can be restored
  • Develop and maintain an overall contingency plan including disaster recovery and emergency operations

Ransomware Attacks Are Reportable as HIPAA Breaches

There has been much debate in recent months about whether healthcare ransomware infections are reportable as data breaches under Health Insurance Portability and Accountability Act (HIPAA) Rules. Many security professionals were of the opinion that since ransomware does not usually involve data theft, ransomware attacks would not be reportable to the OCR as breaches and would not require notifications to be sent to patients or plan members.

The new guidance makes it quite clear that is not the case. Ransomware infections are reportable breaches under HIPAA, unless a covered entity can clearly demonstrate that there is a “low probability” that the Protected Health Information of patients or health plan members was not compromised. Otherwise a full breach response is required in accordance with the HIPAA Breach Notification Rule – 45 C.F.R. 164.400-414.


Under the HIPAA Privacy Rule – 45 C.F.R. 164.402.6 – a data breach is classed as “The acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

If a malicious actor gains access to ePHI and encrypts data, the OCR has confirmed that this IS a disclosure that is not permitted under the Privacy Rule.

This applies to unsecured ePHI. If ePHI has already been encrypted by the covered entity, in a manner consistent with the OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (link) then the ePHI is no longer unsecured. If secured ePHI are encrypted by ransomware, a breach would not have occurred, individual notifications would not need to be issued, and the incident would not need to be reported to the OCR. However, the breach should still be reported to the local FBI office and the USSS field office.

Demonstrating a “Low Probability” That PHI has been Compromised

A covered entity would be required to perform a risk assessment following any ransomware (or malware) infection, and the following four factors should be considered as a minimum:

  1. The nature and extent of the PHI that has been encrypted and the likelihood of re-identification
  2. The actor who used the PHI or to whom the data have been disclosed
  3. The likelihood that ePHI has actually been acquired or viewed
  4. The extent to which risk to PHI has been mitigated

If a covered entity chooses not to report a ransomware infection to the OCR, that decision should be documented along with the reasons why the covered entity believes ePHI has not been compromised.

Covered entities should note that following any breach of ePHI involving more than 500 healthcare records – and in some cases fewer – the OCR will investigate. The OCR will want to see evidence that HIPAA Rules have been followed and the covered entity in question has taken appropriate steps to prevent, detect, contain, and respond to threats.

A ransomware infection may not warrant a financial penalty; however, if a covered entity has failed to implement appropriate controls to prevent malicious software from being installed or has not performed a comprehensive risk analysis, the OCR may choose to issue a financial penalty

OCR Guidance on Healthcare Ransomware Infections

The fact sheet on healthcare ransomware infections, including detailed information on the requirements of HIPAA, can be found on this link:


Guidance on “How to Protect Your Networks From Ransomware” can be downloaded here:


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.