[ Monday, August 08, 2016 ]
Jeff [5:57 PM]
Are Ransomware Attacks Per Se HIPAA breaches?
"Not Necessarily," says this National Law Review article.
Of course, I agree. But this is just plain wrong: "If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule." In most ransomware situations, the malware is injected into the affected system; there is no possession, and certainly no disclosure; there is only "control" in the context of preventing the rightful owner from controlling the data, since the hacker has no control either, and can't even decrypt the data. Preventing someone else from using their data is not "controlling" the data, it's controlling the victim and rightful owner of the data.
Blogger: HIPAA Blog - Edit your Template