[ Monday, March 28, 2016 ]
Ransomeware: Must a provider report a ransomware hack as a HIPAA breach? That's a question that's making the rounds with some of my friends in the privacy space, and there certainly is some disagreement on the matter. Personally, I'd say every breach must be treated on its own facts, a breach risk analysis must be done, and the various factors considered. But I believe it is absolutely possible to determine that there is no more than a low risk of compromise (remember, that's really an undefined and undefinable term in this context) if there was not exfiltration of the data.
Apparently Rep. Ted Lieu of California agrees, because
he's proposing legislation to require provider to give notice to patients if they've been subject to a ransomware attack. If it were required to be reported, there'd be no need to change the law, right?
Jeff [2:02 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template