Earlier this year, Hollywood Presbyterian Medical Center paid a $17,000 ransom in Bitcoin to unlock the hacker-imposed encryption on its data. A recent federal interagency report announced that since Jan. 1, 2016, there have already been over 4,000 reported ransomware incidents per day, more than three times the 1,000 such daily attacks that occurred throughout all of 2015.\n\nWhat are the effects of ransomware that have caused its recent rise to fame?\n\nFirst, it must be established what happens during a ransomware incident. A miscreant hacker gets through whatever protective physical and\/or digital barriers are in place to keep unauthorized persons from reaching specific business critical data. The purpose of this attack is not so the hacker can obtain a copy of the critical data. Instead, the perpetrator encrypts the victim\u2019s data to make it unusable by the authorized possessor. The hacker can then extort money from the victim in order to decrypt the data and return it to its usable format.\n\nSecond, this significant increase of such attacks has recently caused the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services, the federal agency responsible for investigating HIPAA breaches, to recently issue a guidance analyzing whether a ransomware incident constitutes a reportable health care breach under federal law.\n\nIs ransomware a HIPAA breach of electronic Protected Health Information (ePHI)?\n\nTitle 45 of the Code of Federal Regulations contains the relevant HIPAA provisions. Section 164.402 of Title 45 provides the definition of the term breach as it pertains to ePHI: \u201cBreach means the acquisition, access, use, or disclosure of protected health information\u2026which compromises the security or privacy of the protected health information.\u201d So the question becomes \u201cdoes a ransomware attack cause the \u201cacquisition, access, use or disclosure\u201d of ePHI?\u201d\n\nNo court decision has yet to address this issue, but expert commentators have taken either side of the argument.\n\nSome believe that a ransomware attack is a HIPAA violation, because the systems being accessed are no longer under the control of the healthcare provider. There are others, however, that posit that ransomware would not result in a reportable breach since ransomware doesn\u2019t actually provide the hacker access to ePHI. Of course, whatever side you take on the HIPAA violation\/no violation argument, one important fact cannot be ignored: The victim of the attack is unable to use the encrypted data.\n\nWhat is OCR\u2019s view?\n\nThe recent guidance issued by OCR does definitely state that the \u201cHIPAA Security Rule requires implementation of security measures that can prevent the introduction of malware, including ransomware\u201d and also requires that covered entities and business associates \u201cimplement policies and procedures that can assist\u2026in responding to and recovering from a ransomware attack.\u201d\n\nThe guidance further acknowledges that the presence of ransomware does constitute a \u201csecurity incident\u201d pursuant to 45 C.F.R. \u00a7 164.304, which requires the initiations of \u201csecurity incident and response and reporting procedures,\u201d per 45 C.F.R. \u00a7 164.308(a)(6). The guidance advises that upon discovery of a ransomware attack, the health care entity should immediately implement its incident response plan which should include, at a minimum, \u201cmeasures to isolate the affected computer systems in order to halt the propagation of the attack.\u201d The entity should also consider reporting the incident to the appropriate FBI or U.S. Secret Service Field Office so that necessary federal, state and local law enforcement agencies are appropriately deployed to \u201cpursue cyber criminals globally and assist victims of cybercrime.\u201d\n\nWhat other response factors should be considered?\n\nTo date, no court or regulatory judge has ruled that a ransomware incident constitutes a reportable HIPAA breach. If an affected entity has a backup copy of its data that has been encrypted by ransomware, it is possible this copy could be used to regenerate that entity\u2019s operational systems. The backup copy should be reviewed first by competent professionals to ensure that it does not also contain the ransomware or other malicious malware.