It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.
Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
According to the OCR guidance: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” OCR guidance at pp. 5–6 (emphasis added). To us, whether possession or control over data amounts to disclosure of it is a question open to debate. But the OCR appears to have deemed possession and control, on the one hand, and disclosure, on the other, to be effectively synonymous in the context of a ransomware attack.
Accordingly, “[u]nless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.” Id. at p. 6 (emphasis added) (citing 45 C.F.R. 164.400-414).
It remains to be seen what will satisfy the OCR as establishing a low probability of harm after a ransomware attack. In the guidance, the OCR emphasizes the four factors under 45 C.F.R. 164.402(2): (i) the nature and extent of the PHI involved, (ii) the unauthorized person who used the PHI or to whom disclosure was made, (iii) whether the PHI was actually acquired or viewed (iv) and the extent to which the risk to PHI has been mitigated. Id. By their very nature, ransomware attacks may not readily yield these sorts of details, meaning the presumption of breach may dictate the response, i.e., notification.
Although the OCR guidance is specific to PHI and HIPAA, we imagine that other regulators in the broader realm of personally identifiable information (PII) have or soon will adopt interpretations similar to the OCR’s in the ransomware context. Thus, companies would be well-advised to treat ransomware attacks as potential data breaches from the outset.