Jeff Duncan Brecht authored an article in the March 2017 edition of PALS, a publication of the American Health Lawyers Association Post-Acute and Long Term Services Practice Group, titled “Ransomware and Long Term Care: How the Threat of Holding Patient Records Hostage Impacts HIPAA Analysis.” The article discusses the threat of ransomware to protected health information (PHI) as it relates to long term care and other health care providers, and what steps to take to help prevent data system infections and to create a “low probability” of compromised PHI if such an infection occurs.
While some called 2016 the “year of ransomware,” in January 2017, the Federal Bureau of Investigation warned that ransomware attacks continue to be “on the rise” and are becoming ever-more clever. Ransomware’s unique “quality” of encrypting its victim’s data, effectively making that data unavailable, has led the OCR to declare that when a HIPAA-covered entity suffers a ransomware attacked that encrypts PHI, a rebuttable HIPAA breach presumption is triggered. In fact, in a contemporaneous statement issued by OCR’s former Director, OCR “made clear” that “a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule.