Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves. Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom. Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois. Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom. To read the full article click here.
This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor. However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers. Along with maintaining a secure system, it is also advisable to back-up all PHI.