Thus far in 2016 we have seen four (known) cases of ransomware affecting the healthcare industry. In each case the hospital involved was locked out of their systems until they paid a ransom to the hackers or were otherwise able to access a backup of their information. We know in one case the ransom was paid; and the FBI is even recommending victims pay the ransom.
This begs the question, "If your organization falls victim to a ransomware attack, is that a breach under HIPAA?" The simple answer is no, but some analysis is required.
A breach is defined under HIPAA as unauthorized "access, acquisition, use, or disclosure" of PHI. In a typical ransomware attack, the PHI is not accessed, acquired, used, or disclosed; rather it is essentially locked, thus preventing access or use of the information.
However, ransomware attacks must be investigated and analyzed to ensure a breach did not occur.While typically ransomware attacks are not considered HIPAA breaches, this style of attack is evolving and it is reasonable to expect ransomware attacks in the future will include unauthorized "access, acquisition, use, or disclosure" of PHI. A ransomware attack is presumed to be a breach, and it is the breached organization's duty to prove that PHI was not inappropriately viewed or acquired, and therefore no breach occurred. The only way to prove there was no breach is to perform a forensic investigation of the compromised data to insure it was not accessed by the hackers. Only then can ransomware be determined to not be a HIPAA breach.
How To Ensure Timely Notification of a HIPAA Breach
A Plan For The Worst Case Scenario - What To Do If You Have A HIPAA Breach