In July, the U.S. Department of Health & Human Services ("HHS") issued guidance concluding that a ransomware attack constitutes a "breach" under the Health Insurance Portability and Accountability Act ("HIPAA"). The guidance states that when electronic protected health information is encrypted as the result of a ransomware attack, a breach has occurred because the information encrypted by the ransomware was "acquired" by unauthorized individuals and is thus a "disclosure" not permitted under the HIPAA Privacy Rule. A breach is presumed to have occurred in such a situation unless the covered entity or individual can demonstrate that there is a low probability that the protected health information has been compromised.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.