More than 400 dental offices across the United States were the victim of a recent ransomware attack that prevented dentists from accessing patient records and patient personal data. PercSoft, a Wisconsin-based company, which operates the Digital Dental Record to manage patient dental records, announced on August 27, 2019 that it was the victim of a ransomware virus attack. In this ransomware attack, the perpetrators encrypted the data in the affected dental offices to prevent dentists from viewing or accessing the patient information.
While Percsoft stated that no patient data was accessed as part of the attack, whether or not ransomware is considered a breach under HIPAA Rules is a fact-specific inquiry. Unless the covered entity (i.e., the dental offices) can demonstrate that there is a “low probability that patient health information (“PHI”) has been compromised,” a breach has presumptively occurred. See 45 C.F.R. 164.400-414.
In order to overcome this rebuttable presumption and demonstrate that there was a “low probability” that PHI has been compromised, the covered entity must conduct a risk assessment that considers at least the following four factors (see 45 C.F.R. 164.402(2)):
-
the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
-
the unauthorized person who used the PHI or to whom the disclosure was made;
-
whether the PHI was actually acquired or viewed; and
-
the extent to which the risk to the PHI has been mitigated.
While these four factors must be considered, covered entities should also consider a wide range of additional factors, including, but not limited to, the specific malware being used, the type of data in question, and whether there has been any attempt to export the PHI.
This type of attack is an important reminder for health practitioners to be prepared for ransomware attacks with wide-ranging contingency plans to put in place immediately after receiving notice of an attack. Health practitioners should perform frequent backups of PHI and maintain the ability to recover these backups on a separate server to ensure access to PHI in the event of a ransomware attack. More information on HIPAA and ransomware attacks can be found here.
Overall, the risk associated with ransomware continues to rise as attackers continue using familiar strains of ransomware as well as developing new varieties that are harder for organizations to defend against. In a report issued in July 2019, cybersecurity researchers predicted that ransomware could cost organizations as much as $20 billion annually by 2020. For health care organizations, the costs – and legal risk – associated with a ransomware incident can be particularly high because of the HIPAA compliance obligations imposed on covered entities.
