The question I get asked most is “do I have to report a ransomware attack”. Reporting ransomware attacks is not an easy answer. My usual answer is “it depends”. First off, you need to do a thorough investigations, most often including forensics. You need to be able to prove that you data was encrypted and not stolen. Not always an easy task.Below are a few factors in determining if you need to report the ransomware attack.

Reporting Ransomware Attacks

You will not have to report a ransomware attack If:

  1.  The ePHI is sufficiently encrypted. 33% of HIPAA violations are lost and stolen laptops. Encrypted will give you a get out of jail free card.
  2.  You have proven that the variant has been identified and proven to not have ex filtrated data.
  3.  If you are unsure of the damage that has been done, and cannot figure out where the ransomware originated.

In Summary

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

In short, the guidance is “Yes, a successful ransomware infection is considered a reportable HIPAA breach unless the covered entity can demonstrate that there is a ‘…low probability that the PHI has been compromised.’”

If you feel you have been infected, contact us at 855-698-4373. We can run our forensics tools to help you find the origin and if they data has been pulled from your network.