Responding to Ransomware: Applying HITECH's Breach Notification Rules to a Cyberattack

Ransomware is a form of malicious software designed to block access to data by encrypting it, effectively holding the information hostage until the attacker’s demands, usually payment in cryptocurrency, are met. In the healthcare sector, ransomware attacks commonly target critical systems such as electronic health records (EHR), patient scheduling, billing systems, and other essential applications that store or process electronic protected health information (ePHI).

When a ransomware attack occurs, the HHS Office for Civil Rights (OCR) typically presumes that a breach of unsecured PHI has taken place. This is based on the understanding that attackers often exfiltrate, or steal, data before encryption, even if they do not publicly admit it. The burden is on the covered entity to prove that there is a low probability that the PHI was compromised in the attack. Without sufficient evidence to demonstrate this low risk, the ransomware incident is considered a reportable breach under HIPAA.

For small healthcare practices, this means that prevention, rapid detection, and thorough incident documentation are vital. Practices must have robust cybersecurity defenses and clear breach response plans to minimize risk, comply with breach notification rules, and protect patient data from potential exposure.

Ransomware is a type of malicious software that encrypts data, making it inaccessible until the attacker’s demands are met, often for payment in cryptocurrency. In healthcare, this typically involves patient records, scheduling systems, and other critical applications.

While some attackers may claim not to exfiltrate data, the HHS Office for Civil Rights (OCR) generally presumes a ransomware attack involving ePHI to be a breach unless the covered entity can demonstrate a low probability that the PHI has been compromised. This presumption places the burden of proof squarely on the practice.

Under 45 CFR § 164.402, a breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. The rule’s four-factor risk assessment determines whether breach notification is required:

1. Nature and extent of the PHI involved

2. Unauthorized person who used or accessed the PHI

3. Whether the PHI was actually acquired or viewed

4. Extent to which the risk has been mitigated

In ransomware cases, encryption by an unauthorized actor typically meets the “acquisition” threshold, triggering the breach notification process unless the entity can prove otherwise.

If your risk assessment determines that a breach has occurred:

• Individuals: Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.

• HHS: If the breach affects 500 or more individuals, notify HHS contemporaneously with individual notice. For smaller breaches, you may report annually but no later than 60 days after the end of the calendar year.

• Media: If the breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets in that area.

Each notice must include specific content elements under 45 CFR § 164.404(c), such as a description of the breach, the information involved, and mitigation steps.

In 2021, a multi-physician family medicine clinic in the Midwest suffered a ransomware attack that encrypted its entire EHR database. The attackers demanded payment for a decryption key and claimed they had not exfiltrated data.

The clinic’s forensic investigation revealed evidence of network activity consistent with data exfiltration. Because the clinic could not confirm that no PHI was acquired, it applied the HITECH breach notification rule and issued notices to 12,000 patients within 45 days.

The practice also notified HHS and local media, as required. While the clinic avoided OCR penalties due to timely compliance, it incurred over $100,000 in remediation and legal costs.

Lesson Learned: Even without definitive proof of data theft, the presumption under HITECH means most ransomware events involving ePHI will be treated as breaches.

A thorough risk assessment following ransomware should include:

• Forensic investigation of affected systems

• Review of system logs and network traffic

• Identification of data types and sensitivity levels

• Documentation of all findings, including the rationale for breach determination

OCR expects detailed records of the assessment process, which may be requested during an investigation.

If the ransomware attack occurs within a business associate’s system (e.g., a cloud EHR vendor), the BA must notify the covered entity under 45 CFR § 164.410. Timely BA communication is critical, as the 60-day notification clock starts when the breach is discovered by either party, whichever is earlier.

Covered entities should have detailed incident reporting requirements in their business associate agreements to ensure prompt notification.

Common Pitfalls and How to Avoid Them

Pitfall 1: Delaying the Breach Determination

Some practices spend weeks debating whether a ransomware event is a breach, eating into the 60-day notification window.

How to Avoid It: Begin the risk assessment immediately after incident discovery and set an internal deadline for decision-making.

Pitfall 2: Overreliance on Attacker Claims

Believing an attacker’s statement that no data was stolen can lead to regulatory missteps.

How to Avoid It: Base your determination on independent forensic evidence, not attacker assurances.

Pitfall 3: Incomplete Risk Assessment Documentation

Failing to record your analysis leaves you vulnerable if OCR investigates.

How to Avoid It: Keep detailed records of each risk assessment factor, including data sources and mitigation steps.

Pitfall 4: Missing Media Notification Requirements

Some practices notify patients and HHS but forget media notification for breaches affecting 500+ residents.

How to Avoid It: Include media notification as a standard checklist item for large breaches.

Pitfall 5: Gaps in Business Associate Communication

Delays in BA reporting can cause covered entities to miss notification deadlines.

How to Avoid It: Require BAs to report any suspected breach within 48 hours, and test communication procedures annually.

Pitfall 6: Lack of Incident Response Planning

Practices without a tested incident response plan often make rushed decisions under pressure.

How to Avoid It: Develop and rehearse a ransomware-specific response plan that includes breach notification procedures.

Pitfall 7: Ignoring State Breach Laws

State laws may impose shorter timelines or additional notice requirements.

How to Avoid It: Maintain a state law reference chart and always apply the stricter standard.

Pitfall 8: Underestimating Post-Breach Costs

Even if penalties are avoided, response costs can be substantial.

How to Avoid It: Factor breach response expenses into your practice’s risk management planning.

1. HHS Guidance on Ransomware and HIPAA

2. HIPAA Breach Notification Rule – 45 CFR §§ 164.400–414

3. FBI Cybercrime and Ransomware Guidance

Ransomware incidents pose distinct and serious challenges for healthcare providers, especially small practices that may have limited IT resources. Under the HITECH Act, breach notification requirements are explicitly defined, with a strong presumption that protected health information (PHI) has been compromised during a ransomware attack unless the practice can provide convincing evidence to the contrary. This means that in most cases, ransomware incidents will trigger mandatory breach notifications to affected individuals, the Department of Health and Human Services (HHS), and potentially the media.

To prepare your practice effectively, it is crucial to develop and regularly test an incident response plan tailored specifically to ransomware events. Rapid forensic investigations should be established to assess the extent of the breach promptly. Your business associate agreements (BAAs) must include clear and enforceable breach reporting timelines to ensure timely communication. Additionally, keeping an up-to-date reference of applicable state breach notification laws will help your practice meet all legal obligations. Thorough documentation of every decision and action related to the breach is essential for regulatory compliance and audit readiness.

By taking these proactive steps, your practice can minimize regulatory penalties, protect patient trust, and reduce reputational harm if a ransomware attack occurs.