Back in March, I blogged about the question as to whether a ransomware attack needed to be reported to HHS as a HIPAA breach. In that post, I quoted an HHS spokesperson who informed DataBreaches.net that a ransomware situation was an impermissible disclosure (because the attacker had access to the data even if the data weren’t accessed or viewed), but the duty to notify or report would depend on the risk assessment: was there a low probability of compromise of PHI? If so, then reporting and notification would not be required. But absent a risk assessment showing low risk of compromise, the duty would be to report and notify.
It seems not everyone read my post with the statement from HHS, as Dan Munro from Forbes subsequently argued that it’s not a reportable breach. Jack Danahy, on the other hand, argues that the ransomware is placing the PHI under the control of a criminal, and that should be a reportable incident.
Read more about their differing opinions on CMIO.