• United States




Defining ransomware and data breach disclosure

Jul 25, 20164 mins
Advanced Persistent ThreatsApplication SecurityCybercrime

unveil disclosure
Credit: Thinkstock

Earlier this year, Hollywood Presbyterian Medical Center paid a $17,000 ransom in Bitcoin to unlock the hacker-imposed encryption on its data. A recent federal interagency report announced that since Jan. 1, 2016, there have already been over 4,000 reported ransomware incidents per day, more than three times the 1,000 such daily attacks that occurred throughout all of 2015.

What are the effects of ransomware that have caused its recent rise to fame?

First, it must be established what happens during a ransomware incident. A miscreant hacker gets through whatever protective physical and/or digital barriers are in place to keep unauthorized persons from reaching specific business critical data. The purpose of this attack is not so the hacker can obtain a copy of the critical data. Instead, the perpetrator encrypts the victim's data to make it unusable by the authorized possessor. The hacker can then extort money from the victim in order to decrypt the data and return it to its usable format.

Second, this significant increase of such attacks has recently caused the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services, the federal agency responsible for investigating HIPAA breaches, to recently issue a guidance analyzing whether a ransomware incident constitutes a reportable health care breach under federal law.

Is ransomware a HIPAA breach of electronic Protected Health Information (ePHI)?

Title 45 of the Code of Federal Regulations contains the relevant HIPAA provisions. Section 164.402 of Title 45 provides the definition of the term breach as it pertains to ePHI: "Breach means the acquisition, access, use, or disclosure of protected health information...which compromises the security or privacy of the protected health information." So the question becomes "does a ransomware attack cause the "acquisition, access, use or disclosure" of ePHI?"

No court decision has yet to address this issue, but expert commentators have taken either side of the argument.

Some believe that a ransomware attack is a HIPAA violation, because the systems being accessed are no longer under the control of the healthcare provider. There are others, however, that posit that ransomware would not result in a reportable breach since ransomware doesn't actually provide the hacker access to ePHI. Of course, whatever side you take on the HIPAA violation/no violation argument, one important fact cannot be ignored: The victim of the attack is unable to use the encrypted data.

What is OCR's view?

The recent guidance issued by OCR does definitely state that the "HIPAA Security Rule requires implementation of security measures that can prevent the introduction of malware, including ransomware" and also requires that covered entities and business associates "implement policies and procedures that can responding to and recovering from a ransomware attack."

The guidance further acknowledges that the presence of ransomware does constitute a "security incident" pursuant to 45 C.F.R. ? 164.304, which requires the initiations of "security incident and response and reporting procedures," per 45 C.F.R. ? 164.308(a)(6). The guidance advises that upon discovery of a ransomware attack, the health care entity should immediately implement its incident response plan which should include, at a minimum, "measures to isolate the affected computer systems in order to halt the propagation of the attack." The entity should also consider reporting the incident to the appropriate FBI or U.S. Secret Service Field Office so that necessary federal, state and local law enforcement agencies are appropriately deployed to "pursue cyber criminals globally and assist victims of cybercrime."

What other response factors should be considered?

To date, no court or regulatory judge has ruled that a ransomware incident constitutes a reportable HIPAA breach. If an affected entity has a backup copy of its data that has been encrypted by ransomware, it is possible this copy could be used to regenerate that entity's operational systems. The backup copy should be reviewed first by competent professionals to ensure that it does not also contain the ransomware or other malicious malware.


As legal counsel & HIPAA compliance officer in the Investigations section at Absolute, Stephen Treglia provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conducts data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the U.S. regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.

Prior to Absolute, Stephen concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world’s first computer crime units from 1997-2010.

Steve is a nationwide lecturer on legal issues pertaining to technology law, data privacy and security compliance, searching and seizing digital evidence, the admissibility of computer forensic analysis and other related litigation issues.

The opinions expressed in this blog are those of Stephen Treglia and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.