Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts.

So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected.

But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear.

If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired by the attackers. Some ransomware strains do not communicate with a command and control server once they have been installed, therefore the individuals behind the campaigns would not have access to PHI even if it was encrypted. That may not necessarily be the case for all forms of ransomware and for all attacks.

The question was put to the HHS by The Office of Inadequate Security, and a response was received from a Public Affairs Specialist on behalf of the department indicating a ransomware infection that resulted in PHI being encrypted may in fact be reportable under HIPAA.

HIPAA defines a breach as an impermissible use or disclosure of protected health information. If an attacker has succeeded in locking data, this could be viewed as a disclosure. It would be reportable unless the covered entity in question could demonstrate there was a low probability of PHI compromise, that no PHI was corrupted as a result of the infection, that it had not been altered, was not lost, and had not been exfiltrated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.