25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Ransomware and HIPAA: Are Attacks Reportable?

Posted By on Apr 1, 2016

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts.

So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected.

But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear.

If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired by the attackers. Some ransomware strains do not communicate with a command and control server once they have been installed, therefore the individuals behind the campaigns would not have access to PHI even if it was encrypted. That may not necessarily be the case for all forms of ransomware and for all attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The question was put to the HHS by The Office of Inadequate Security, and a response was received from a Public Affairs Specialist on behalf of the department indicating a ransomware infection that resulted in PHI being encrypted may in fact be reportable under HIPAA.

HIPAA defines a breach as an impermissible use or disclosure of protected health information. If an attacker has succeeded in locking data, this could be viewed as a disclosure. It would be reportable unless the covered entity in question could demonstrate there was a low probability of PHI compromise, that no PHI was corrupted as a result of the infection, that it had not been altered, was not lost, and had not been exfiltrated.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist