Complying With HIPAA Following a Ransomware Attack

In 2016, the U.S. Department of Health and Human Services (“HHS”) issued guidance to help covered entities and business associates understand, among other things, how to respond appropriately to ransomware attacks under the Health Insurance Portability and Accountability Act (“HIPAA”). 

Ransomware Is a “Security Incident” Under HIPAA

According to the guidance, the presence of ransomware on a covered entity’s or business associate’s computer system constitutes a “security incident” under HIPAA.  Thus, if ransomware is detected, the affected entity must initiate its HIPAA security incident response and reporting procedures.  The guidance recommends that the affected entity initially attempt to investigate:

  • the scope of the incident to identify what networks, systems, or applications are affected;
  • the origination of the incident (who/what/where/when);
  • whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment; and
  • how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).

The guidance recommends that the affected entity then seek to mitigate the harmful effects of the ransomware, remediate the vulnerabilities that permitted the ransomware attack and propagation, restore any compromised data, and incorporate lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents. 

Finally, the guidance advises covered entities and business associates to perform, as part of their security incident response, a “deeper analysis of the evidence to determine” if the security incident amounts to a “breach” under HIPAA.  This determination is critically important.  If a breach has occurred, then the affected entity must comply with HIPAA’s Breach Notification Rule, which requires and, among other things, notification to all affected individuals, HHS, and, in some cases, local media outlets.

Ransomware May Constitute a “Breach” Under HIPAA

If ransomware encrypts electronic protected health information (“ePHI”), a breach has occurred because the ePHI has been acquired (i.e., unauthorized individuals have taken possession or control of the information).  If, however, the ePHI was encrypted prior to the attack in accordance with HHS guidance, there may not have been a breach if the encryption rendered the affected ePHI unreadable, unusable, and indecipherable to the unauthorized person or people. 

Ultimately, whether a ransomware attack constitutes a reportable breach is a fact-specific determination, but a breach is presumed to have occurred unless the covered entity or business associate can demonstrate that there is a “low probability” that the ePHI has been compromised.  To demonstrate that a “low probability” of a compromise exists, the covered entity or business associate must conduct a thorough, good faith risk assessment and reach conclusions that are reasonable given the circumstances.