Is a Ransomware Attack Reportable to HHS? HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

Perhaps I should rename this blog the HIPAA Ransomware Blog because that seems to be the main topic of recent blogs. Not only are such attacks not going away, but also they appear to be increasing.

It is bad enough to suffer the harm of a ransomware attack, even one that does not end up with your having to pay an exorbitant ransom. But most ransomware attacks to date, whether successful or unsuccessful, have not required notification to the Department of Health and Human Services (“HHS”) under 45 C.F.R. §§ 164.400-414 of breaches of unsecured protected health information (“PHI”). Why? Because most ransomware attacks did not access the PHI or do anything improper with it, such as selling it to identity thieves. They simply locked it down—that is, encrypted it so that you could not access or use it unless you got the decryption key by paying the demanded ransom.

Thus, although an unsuccessful ransomware attack is nonetheless a security incident, requiring a security incident report under § 164.308(a)(6)(ii), a successful ransomware attack may be reportable as a breach under 45 C.F.R. §§ 164.400-414 if the PHI was not secured―that is, basically encrypted under the National Institute for Standards and Technology (“NIST”) Encryption Standard, NIST SP 800-175B. See, “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” at

If not encrypted so as to comply with that standard, the breach is reportable unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Thus, if the party committing the ransomware attack does not actually acquire or view the PHI, a low (or nonexistent) probability of compromise would seem to exist, negating the need to report the breach to HHS and the individual, although reporting to individuals might be compelled by the duty to mitigate harm occasioned by breaches under 45 C.F.R. 164.530(f). Of course, a legal review of the decision as to whether a breach is reportable is a must.

NIST has developed a scoring matrix for determining the probability of compromise that HHS has adopted for the breach reporting determination, See American Health Information Management Association (“AHIMA”), HIM Body of Knowledge, “Performing a Breach Risk Assessment,” at to help determine whether the breach is reportable. Of course, again, a legal review of the decision whether a breach is reportable is a must. Using that matrix would often find that a ransomware attack that only locked down the data and did not access or use or disclose it improperly would not be reportable.

Recently, however, just locking down one’s data until the ransom is paid, is not enough for ransomware extortionists. They are, more and more often, actually accessing the data and using and disclosing it improperly. A study by the Cyprus Group found that approximately one fourth of ransomware attacks now include exfiltration—that is, taking the data (accessing or copying it) and using or disclosing it improperly, such as by using it for marketing purposes, or to commit identity theft, other fraud, malicious disclosure, and the like, or selling it to others who could so use it. See Drew Schmitt, “Ransomware’s New Trend: Exfiltration and Extortion,” Crypsis/Insights, September 17, 2020, at Ransomware’s New Trend: Exfiltration and Extortion ( www://  Thus, if the ransomware attack includes exfiltration, it almost certainly will require notification under the Security Rule and NIST tests to determine whether breaches are reportable.

So on top of any ransom paid or the costs of getting professional help to decrypt your PHI and restore your system, you may face a six- or seven-figure civil money penalty (“CMP”) or settlement in lieu thereof for any HIPAA violations uncovered after HHS investigates the breach. Sounds like a good reason to update your risk analysis of the threat of ransomware and your existing security measures.

Alice here: yes, I’m back to my usual bad habit of trying to sell things to you. First, I apologize for not being as available as I used to be for you to call me with your questions. I am in a nursing home locked down in solitary confinement in my cell because of Covid-19. I am grateful that I don’t have it, but so many others do. I am in the nursing home because in the past few years I have had to have half of my right foot and half of my left leg amputated because of peripheral artery disease from tobacco. So if you smoke or vape, please do yourself a favor and quit. Now. The fastest way to get answers to your HIPAA questions is to contact Jon Tomes at or on his cell at (816) 527-3858. Second, in answer to those of you who have asked about whether the online HIPAA training video available for sale on our website at is still up to date and accurate, yes. Jon said that it is the fundamentals, so it hasn’t changed. If the HIPAA basics ever change, he will update the video. Third, thanks for reading Jon’s blog, for buying his HIPAA books and other compliance tools on our website at, for attending his seminars and webinars, and for hiring him as your HIPAA consultant, both onsite and offsite. We appreciate the work that you do on the planet, especially during this pandemic, and ask that you please stay safe out there.





seo by: k.c. seo