Senior Communications Manager
Kirk Nahra Comments on OCR Ransomware Guidance
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a July 13 Bloomberg BNA article about guidance issued by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for health care organizations that experience ransomware attacks. Ransomware, a type of malicious software, is designed to prevent an organization from accessing its own data unless a ransom is paid.
Health care organizations have not been reporting ransomware incidents to HHS as they have for other types of cyberattacks, according to the article. Under federal privacy laws, these entities are required to notify their customers, HHS, and the media of any data breach that impacts more than 500 individuals. The new guidance clarifies that this requirement, in place since 2013, applies to ransomware attacks, unless a health organization can show that the affected data was encrypted and unreadable to the hacker.
“While there is no change in the rule, my sense is that their analysis, if followed by companies, will lead to more of these [ransomware] attacks leading to [HHS] notice than we might have thought previously,” Mr. Nahra said.
To read the full article, please click here.