In the last couple of months, the OCR has released clarification via their Fact Sheet on whether a ransomware attack is considered a HIPAA breach. Per the updated Fact Sheet, OCR’s position is that a ransomware attack is a breach. OCR says that because the attacker gained control over the computer data by encrypting files, this constitutes “unauthorized access” and is a HIPAA breach. Notification of the breach may or may not be required. If a ransomware attack occurs, the practice must either notify patients whose ePHI was involved in the attack or complete an analysis that refutes the fact that ePHI was compromised in the attack.

The analysis that occurs after the attack to determine whether notification is required should consider these four factors:

The nature and extent of the PHI involved, specifically the types of identifiers and the likelihood of re-identification.
The unauthorized person who used the PHI or to whom the disclosure was made.
Whether the PHI was actually acquired or viewed.
The extent to which the risk to the PHI has been mitigated.
The forensic team completing the analysis should also try to determine the following:

Whether the hackers were able to exfiltrate the data before or after the attack.
Whether the exfiltrated data was encrypted before the attack and whether it can be accessed once exfiltrated.
Whether hackers were able to collect passwords or keys that would enable access to otherwise encrypted or password-protected ePHI.
Even if the analysis determines there was a low risk of compromise to ePHI, the OCR advises that patients should be notified if there is a high risk of unavailability of the data or high risk to the integrity of the data.