OCR Tells Healthcare Organizations: A WannaCry Ransomware Attack is a HIPAA Breach

May 17, 2017 David Holtzman

The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule. OCR issued ransomware guidance last year that the agency has taken the position that when a cybercriminal gains access to an information system that creates, transmits or maintains protected health information, this constitutes an unauthorized disclosure of electronic protected health information (ePHI).

Health care organizations in the United States that are affected by WannaCry or other forms of ransomware need to be familiar with HHS’s ransomware guidance. The guidance advises that when ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.

CynergisTek recommends that if your organization falls victim to an attempted or successful ransomware incident, there should be a careful forensic examination of the information system to determine if the attackers had the ability to access PHI, the extent of individual information affected, as well as an assessment for the probability of compromise to the data using the requirements of the Breach Notification Rule as a guide. We also recommend that you create awareness across your enterprise in the event of an attempted or successful ransomware attack against ransomware.  If you would like to learn more about CynergisTek’s HIPAA Privacy programs or additional ways to perform a breach assessment, contact us here.

Previous Article
Why is Risk Management Such a Challenge?
Why is Risk Management Such a Challenge?

If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rig...

Next Article
Shadow IT: The Darkness Looming in the Enterprise
Shadow IT: The Darkness Looming in the Enterprise

In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and ...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!