[ Wednesday, February 19, 2020 ]
Adding Insult to Injury: As @PogoWasRight
noted over the weekend at databreaches.net, class action lawsuits have been filed against Hackensack Meridian Health due to the fact that HMH got hit by ransomware. The hospitals had to delay and reschedule non-emergency procedures. No emergency patients were denied care, and no inpatients were harmed by the attack. It's not even clear if the ransomware event resulted in data exfiltration; the fact that the hospital system has not reported the incident to HHS or notified patients leads me to believe there was no exfiltration.
(Despite OCR's claim that any ransomware attack is a reportable breach, the regulations do not support that interpretation. Unless there is "an acquisition, access, use or disclosure of protected health information in a manner not permitted" by HIPAA, there is no breach. A third party encrypting your data isn't what you want to have happen, but data encryption is, in fact, permitted by HIPAA (in fact, it's encouraged). So the fact of the encryption is not a breach; it's only a breach if, in addition to the encryption, there's an acquisition, access, use or disclosure that's not permitted, which basically means it has to get out. Some current ransomware versions to take data outside the attacked system, so the hackers can also sell the data in addition to collecting the ransom for decrypting it; in those cases, the ransomware attack is a breach because it meets the definition. Where there is no exfiltration, the incident likely doesn't.
This is idiotic, and these lawyers really should be ashamed of themselves. Third-party bad actors attacked HMH's network and caused a huge disruption. There's no evidence at all of any fault or blame on the part of HMH; ransomware attacks are pretty common, some phishing techniques are pretty clever, and there's no such thing as perfect data security. But more importantly, nobody was hurt. What damages did these plaintiffs suffer?
Jeff [8:25 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template