Is a Ransomware Attack a HIPAA Breach?

Thus far in 2016 we have seen four (known) cases of ransomware affecting the healthcare industry. In each case the hospital involved was locked out of their systems until they paid a ransom to the hackers or were otherwise able to access a backup of their information.  We know in one case the ransom was paid; and the FBI is even recommending victims pay the ransom.

This begs the question, "If your organization falls victim to a ransomware attack, is that a breach under HIPAA?"  The simple answer is no, but some analysis is required.

A breach is defined under HIPAA as unauthorized "access, acquisition, use, or disclosure" of PHI.  In a typical ransomware attack, the PHI is not accessed, acquired, used, or disclosed; rather it is essentially locked, thus preventing access or use of the information.

However, ransomware attacks must be investigated and analyzed to ensure a breach did not occur.While typically ransomware attacks are not considered HIPAA breaches, this style of attack is evolving and it is reasonable to expect ransomware attacks in the future will include unauthorized "access, acquisition, use, or disclosure" of PHI.  A ransomware attack is presumed to be a breach, and it is the breached organization's duty to prove that PHI was not inappropriately viewed or acquired, and therefore no breach occurred.  The only way to prove there was no breach is to perform a forensic investigation of the compromised data to insure it was not accessed by the hackers.  Only then can ransomware be determined to not be a HIPAA breach.

Learn more:

HIPAA Incident vs. HIPAA Breach

How To Ensure Timely Notification of a HIPAA Breach

A Plan For The Worst Case Scenario - What To Do If You Have A HIPAA Breach



Download our free ebook "Top Excuses for Ignoring Cybersecurity"

Screen Shot 2018-01-24 at 1.53.11 PM.png

In this ebook:

  • A look at the increasing risk that healthcare organizations face
  • Statistics that show IT and cyber need more resources and emphasis
  • Easy, actionable tips on improving your security now. 
  • Top cybersecurity trends of recent years