2 Medical Practices Among Latest Ransomware Attack Victims
But Are Such Incidents Underreported to Regulators?
Susan Lucci, senior privacy and security consultant of tw-Security, says: “By now, we would hope both covered entities and business associates clearly understand their responsibilities to report a ransomware attack based on specific guidance by HHS on this subject.”
The guidance notes that “when ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired – for example, unauthorized individuals have taken possession or control of the information – and thus is a ‘disclosure’ not permitted under the HIPAA privacy Rule,” Lucci points out.
When organizations conduct a breach analysis to determine if there is a low probability of compromise to PHI, which means an incident doesn’t have to be reported to HHS as a breach, they must use caution, Lucci warns. “Should an [HHS] investigation ensue, documentation should be bullet-proof,” she says.
The decision to report a ransomware incident to HHS is only one regulatory consideration, Lucci warns. “One important point to remember is, in the case of a ransomware attack, do not forget to check state statutes,” she notes. “Reporting a breach to the OCR [HHS Office for Civil Rights] is one thing, but in this particular case following state’s guidance in reporting this breach to individuals and other requirements is likely to be needed.”