In a recent Forbes article, titled Is Ransomware Considered a Health Data Breach Under HIPAA, Dan Munro explains that ransomware should not be considered a health breach under the Health Insurance Portability and Accountability Act (HIPAA) – an act establishing protection and security for individual’s health information. Specifically, Munro argues that HIPAA is designed to protect patients against the loss, theft, or breach of their protected health information (PHI). Since those in control of the ransomware supposedly never actually acquire PHI data, and instead just encrypt it, there technically is not a breach of PHI data and therefore, no legal reporting is required under the terms of HIPAA.
On the other side of the debate, Jack Danahy argues just the opposite – “ransomware attacks need to be disclosed as unauthorized exposures of private information because they are every bit as dangerous as the outright theft of the laptop, desktop, or server that they infect.” Danahy’s reasoning is that because the systems are being accessed by unauthorized persons and thus, are no longer in control of the healthcare provider, the breach falls under HIPAA disclosure requirements. It doesn’t matter if the cybercriminal actually uses the PHI information, argues Danahy, because once encrypted, the data is out of the network provider’s control and in the hands of a criminal, making it absolutely necessary to disclose. While this legal ambiguity is certainly a concern, especially due to the significant rise in the volume of ransomware attacks on the healthcare industry, it appears that for now, there is no fine line on ransomware disclosure requirements.