Ransomware Reporting Requirements & New HHS Guidance

Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once a ransom is paid. Sometimes the ransomware will actually destroy, steal, or export data from information systems.

Ransomware has become a significant threat to all U.S. businesses and individuals, and a particularly dangerous threat to those in health care. Ransomware victims are not only at risk of losing their files or suffering from a data breach, but may also experience financial loss due to paying the ransom, loss of productivity, IT services, legal fees, network countermeasures, and the purchase of credit monitoring services for employees or customers if their information was referenced in the encrypted files. In health care, the consequences can be far more serious— protected health information can be lost, destroyed, or shared with malicious actors, patient treatment can be delayed, and lives could even be lost as a result of systems being locked down by malicious actors.

Due to the significant uptick of ransomware attacks and its particularly powerful threat to the health care industry, The Federal Health and Human Services Department (HHS) issued a fact sheet, available here, that provides guidance on ransomware issues and notes that hospitals and doctor offices may be required to notify HHS if they are a victim of ransomware. As it notes, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. . . . Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).”

For more information, please contact the author at alosey@foley.com.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services

Sectors

Health Care & Life Sciences

Practice Areas

Health Care

Insights

The Coming Wave of Startup M&A

04 October 2023

Foley Ignite

Startup Advisors: Why Talk to an Attorney Early On?

04 October 2023

Foley Ignite

The No Surprises Act: The Departments Proposed Another Increase to IDR Fee, Will it Stick?

03 October 2023

Health Care Law Today

Remember to Include Non-Discretionary Income When Calculating Overtime Pay Under the FLSA

02 October 2023

Labor & Employment Law Perspectives

Foley’s Historic Win in Case Against FTC Featured in Legal Press

04 October 2023

Von Bryant Comments on American Alliance for Equal Rights v. Fearless Fund

03 October 2023

NPR

Foley Represents Doceree in $35M Series B Funding

03 October 2023

Lawrence Vernaglia Comments on Recent OIG Unfavorable Advisory Opinion

02 October 2023

Report on Medicare Compliance

AI Summit New York 2023

6-7 December 2023

New York, NY

14th Annual J. Barrett Benton Health Law Conference

01 December 2023

New Orleans

American Conference Institute’s Advanced Forum on Telehealth

15-16 November 2023

New York, NY

Feeling Insecure About SECURE 2.0? A Discussion for Retirement Plan Sponsors

1 November 2023

Webinar