HIPAA Update - Ransomware Attack Puts 33,000 Patients at RiskSeptember 28, 2017
St. Mark’s Surgical Center in Fort Myers, Florida was the target of a ransomware attack earlier this year that prevented access to patient data, including protected health information (PHI), such as names, dates of birth, and Social Security numbers. A ransomware attack will infiltrate a company’s data, encrypt it and only offer the release of the data upon payment of a ransom. It is possible a ransomware attack also could cause the breach of PHI outside the organization.
The Department of Health and Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, reports that ransomware attacks are on the rise with over 4,000 daily attacks since early 2016, a 300% increase compared to 2015. HIPAA requires covered entities and business associates to have in place security measures that can help prevent ransomware attacks, including, among other measures, (1) a security management process, which includes a risk analysis to identify threats and vulnerabilities; (2) procedures to guard and detect against malicious software; (3) staff training to educate staff to identify, assist in detecting, and report malicious software; and (4) implementation of access controls to limit access to PHI to only those necessary.
The OCR has issued guidance stating that ransomware attacks are presumed to result in a breach of PHI unless the affected covered entity or business associate can prove, through an investigation and risk assessment, that there is a low probability PHI was compromised. Covered entities have a maximum of 60 days following the discovery of a breach to report the breach to affected individuals and, in certain circumstances, to the OCR and other authorities. In this matter, St. Mark’s was assessed a monetary penalty for late notification.
If you need assistance with your organization’s HIPAA policies and procedures, risk management plan, or investigating and responding to a breach or suspected breach incident, including a ransomware attack, please contact a member of our Health Care Practice Group.
Related Practice: Health Law
Lani Dornfeld and Brian Wong