Is a Ransomware Attack a HIPAA Breach?

Q. Is it a HIPAA breach if ransomware infects our practice’s computer system?

A. It is if the ransomware attack encrypts electronic protected health information (ePHI).

Ransomware is a type of malicious software by which a hacker attempts to deny you access to your own data, usually by encrypting the data with a key that only the hacker knows, until you pay a ransom.

The U.S. Department of Health and Human Services (HHS) says ePHI encrypted by ransomware is a breach because unauthorized individuals have taken possession or control of it, i.e., the ePHI was “acquired,” and thus is a “disclosure” that violates the HIPAA Privacy Rule. HIPAA defines a breach as “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the [PHI].” 

Unless you can demonstrate that there is a “low probability that the PHI has been compromised,” based on four factors set forth in the HIPAA Omnibus Rule, you must then comply with applicable breach notification requirements.

Ransomware attacks against home users, businesses, and government networks increased 300 percent since 2015, now topping 4,000 attacks per day, according to a government guidance report. Take these steps to protect your practice from ransomware. 

The Texas Medical Liability Trust (TMLT) includes comprehensive cyber liability coverage in all of its policies. TMLT also offers customized services to help large groups, small offices, and individual physicians arm themselves against online threats. Learn more about TMLT’s cyber liability coverage. These are some of the ways your TMA membership can help you avoid risk.

For more information about ransomware and HIPAA, see this fact sheet from HHS.

Published July 29, 2016

TMA Practice E-Tips main page

Last Updated On

February 02, 2017

Related Content

HIPAA