Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

By and on August 15, 2016

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

Read the full article here to learn about the indications of a ransomware attack, what do in the event of a ransomware attack and what circumstances constitute a HIPAA breach.

Anthony A. Bongiorno
Anthony (Tony) A. Bongiorno has extensive jury trial experience in a variety of commercial matters and serves as the partner-in-charge of the Firm’s Boston office. Tony has successfully tried cases in various federal and state courts around the country. In addition to his significant jury trial experience, Tony has also tried matters under the auspices of the American Arbitration Association, the International Centre for Dispute Resolution and the International Chamber of Commerce. Tony has represented clients in many industries, including energy, health care, biotech and construction.


Michael G. Morgan
Michael Morgan is a leader of the Firm’s Global Privacy and Cybersecurity practice. Recognized as one of the nation’s leading lawyers in cyber incident response, Mike has guided clients through some of the largest and most complex data breaches, including state-sponsored attacks, breaches involving more than 50 million records, and incidents affecting persons in more than 100 countries around the world. He represents clients in the defense of breach-related government investigations and class action litigation as well as pre-breach planning and post-breach remediation. Read Michael Morgan's full bio.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022