The question I get asked most is “do I have to report a ransomware attack”. Reporting ransomware attacks is not an easy answer. My usual answer is “it depends”. First off, you need to do a thorough investigations, most often including forensics. You need to be able to prove that you data was encrypted and not stolen. Not always an easy task.Below are a few factors in determining if you need to report the ransomware attack.
Reporting Ransomware Attacks
You will not have to report a ransomware attack If:
- The ePHI is sufficiently encrypted. 33% of HIPAA violations are lost and stolen laptops. Encrypted will give you a get out of jail free card.
- You have proven that the variant has been identified and proven to not have ex filtrated data.
- If you are unsure of the damage that has been done, and cannot figure out where the ransomware originated.
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
In short, the guidance is “Yes, a successful ransomware infection is considered a reportable HIPAA breach unless the covered entity can demonstrate that there is a ‘…low probability that the PHI has been compromised.’”
If you feel you have been infected, contact us at 855-698-4373. We can run our forensics tools to help you find the origin and if they data has been pulled from your network.