The topic of ransomware, especially ransomware hitting healthcare organizations, is making headlines daily. Dan Munro has a very good article over at Forbes that asks an important question:
Is Ransomware Considered A Health Data Breach Under HIPAA?
David Harlow, Principal – The Harlow Group, LLC, whose insight into HIPAA law I respect greatly, states:
Ransomware has just recently come to the fore as a threat to the healthcare industry and it challenges our collective instincts about what should be considered data breaches under HIPAA. We need to remember that HIPAA is narrowly drawn and that a breach is defined as the unauthorized “access, acquisition, use or disclosure” of PHI. In many cases, ransomware “wraps” PHI rather than breaches it. This may explain why there are so few public reports of ransomware in healthcare – there is no obligation to report these incidents to OCR