DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Reps. Lieu and Hurd urge ransomware events to be reported under HITECH

Posted on July 8, 2016 by Dissent

Representatives Ted W. Lieu (D | Los Angeles County) and Will Hurd (R | San Antonio) sent a letter to Deven McGraw, Deputy Director of the Office of Civil Rights of the Department of Health and Human Services (HHS) encouraging the office to focus on developing guidance for health care providers to respond to ransomware attacks under the disclosure and reporting requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act  and Health Insurance Portability and Accountability Act (HIPAA).

The letter urges the Office of Civil Rights to treat ransomware attacks as breaches under HITECH regulations and encourages regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected. As noted by the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, four in ten healthcare organizations are worried about ransomware attacks. This letter also strongly encourages rapid and mandatory notification of government agencies and cyber-response resources in order to stop widespread attacks and coordinate responses.

“I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches.  The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can’t access patient information.  For example, in March 2016, MedStar was turning away patients due to a ransomware attack.  If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible. We should encourage information about the attack to be shared with both the government and Information Sharing and Analysis organizations in order to prevent the spread of the attack to other providers.”

The full text of Mr. Lieu & Mr. Hurd’s ransomware letter.

SOURCE: Rep. Ted Lieu

Personally, I think the operational aspect is the priority, and putting nearby hospitals and facilities on alert that your facility may have issues resulting in delay or compromised treatment. Any entity designated as  Trauma Level 3 or higher should immediately activate an alert system to others and all emergency services.

As much as I’m a privacy advocate and fairly strident about disclosure and transparency, I do not think notifying patients individually is any kind of priority here at all. A notice that services are undergoing delays or interruptions that may impact all patients is appropriate, however.  The thing is, where are the patients going to go instead if all of their records have been based at the affected hospital? How will other hospitals access their records (remember interoperability issues)?


Related:

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
Category: Breach IncidentsCommentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← FBI chief says Guccifer lied about hacking into Clinton’s email server
Insurance broker fined $1K for not following MPI privacy rules →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.