TortSource: Ransomware: A Reportable Breach?

Articles / Publications

Reprinted with permission by the American Bar Association. Published in TortSource Winter 2017.

In the past several years, a huge increase has occurred in the number of electronic attacks in the United States using ransomware, a form of malware that targets and encrypts critical data and systems for the purpose of extortion. The recent United States interagency guidance document titled How to Protect Your Networks from Ransomware stated that, on average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016-a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.

Health care entities are prime targets for ransomware attacks for two main reasons. First, the information such entities maintain is extremely valuable on the underground market (e.g., social security number, address, date of birth-all contained within one record). Second, when attacked, health care entities are more likely to pay the ransom because operating without access to their electronic systems (especially an electronic medical record) is not a viable option and, in some instances, could literally be a matter of life or death.

So, what do you do when a health care entity you represent is attacked with ransomware? Disregarding the technology aspect and focusing on the legal aspect under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, you conduct a breach assessment.

In light of the increasing number of ransomware attacks against health care entities, the Office of Civil Rights (OCR), the agency overseeing HIPAA compliance, recently released guidance on this very topic. OCR states that a ransomware incident that encrypts patient information protected by HIPAA is presumed to be a breach, unless that presumption is rebutted through a documented breach assessment. Along with such a determination comes legal reporting obligations to the patients, the federal government, and, in some instances, the media (if the incident involves more than 500 patients). Thus, the breach assessment process is very important, because rebutting the presumption and documenting that the incident resulted in a low probability of compromise will have significant operational, public relations, and financial benefits for your clients.

When conducting the breach assessment following a ransomware incident, the following factors should be reviewed, analyzed, and documented:

  • Nature and extent of the patient information involved. What type of information was involved in the attack? Was the information encrypted prior to the attack?
  • Unauthorized person initiating the ransomware incident and attacker's control/access to the information involved. What type of ransomware was involved? What algorithmic steps were involved in the attack? What commands did the attacker initiate?
  • Determination of whether the patient information was actually acquired or viewed by the attacker (or anyone else). Could the attacker view or remove the patient information?
  • Extent to which the incident has been mitigated.
  • Impact on the unavailability of the patient information. Was the information able to be backed up and recovered? How long did the recovery process take?
  • Impact on the integrity of the patient information. Are you confident that the recovered information is complete and accurate and was not altered by the attacker?

From a technology standpoint, a ransomware incident may be relatively contained and easy to address (especially if you have proper back-up capabilities). However, from a HIPAA compliance standpoint, it is much more complicated and requires thorough review, analysis, and documentation.

Kelli Fleming is a partner at Burr & Forman LLP in Birmingham, Alabama, practicing exclusively within the firm's Health Care Industry Group. She can be reached at

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.