Data Loss Prevention Blog

It’s Official - Ransomware is a HIPAA Data Breach

Well, it’s now official: a “ransomware” event constitutes a HIPAA Breach according to the HHS Office for Civil Rights, the agency responsible for determining such things. "When electronic protected health information is encrypted as the result of a ransomware attack, a breach has occurred," the HHS guidance states.

There is one exception, if the data had already been encrypted by the organization itself, and the hackers who got access to it would not have been able to do anything with it. This also depends on the type and level of encryption, so there’s definitely not an absolute safe harbor scenario for just encrypting.

The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, entities experiencing a breach of electronic protected health information (ePHI) must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised.

The recent ransomware attack that happened to the Hollywood Presbyterian Medical Center would be considered a HIPAA breach. So in addition to the $17,000 ransom they paid, the hospital would now be on the hook for the significant costs of informing all the clients whose data was breached along with all the other HIPAA notification requirements and potential fines that come with a breach. So, the actual ransom might often be a small drop in the bucket in terms of the overall cost of a ransomware attack.

Even though this ruling is specific to HIPAA compliance regarding ePHI, if your organization is working in a regulated environment (such as financial services), it would be prudent to expect that other regulatory bodies will adopt the same view of ransomware in terms of considering it a data breach. So just because you’re not in healthcare, don’t think that you’re off the hook.

Although DeviceLock does not position itself specifically in the actual ransomware/malware prevention market, our solution can certainly mitigate the threats of malware and ransomware introduction if used in a “least privilege” approach to access policy as recommended. When you’re looking at strategies and technologies to block ransomware, you have to look at all the potential threat vectors with a particular emphasis on endpoints, since this has been shown to be the most likely place to launch an attack.

Regarding ransomware, DeviceLock is able to contextually block several common inbound avenues for ransomware and other malware at the computer endpoint layer. DeviceLock provides control over the peripheral ports, device media such as USB drives, and block some common network-facing applications (i.e. cloud services, webmails, instant messengers, FTP, Torrents, etc.) that can be accessed at an endpoint computer as well as controlling the types of files that can be accessed from removable media, chat sessions, and more. As malware/ransomware files are generally some form of “executable” or a file hidden in zipped or compressed “archives”, DeviceLock can block read and write access to these file type binaries regardless of the actual file type display name the hackers use.

In fact, we wrote an entire blog post on ransomware and the role that DeviceLock’s endpoint data leak prevention (DLP) plays in reducing the risk of an attack. You can read the post here:

If you’re interested in the role that DLP plays in achieving HIPAA compliance (or any other kind of regulatory compliance in regards to data breaches), please take 30 minutes to watch our recent webinar titled: Achieving HIPAA Compliance with Endpoint Data Leak Prevention Solutions. You can access the on-demand webinar here:

DeviceLock has been providing the industry’s most trusted endpoint DLP solutions since 1996, and offers endpoint control and data leak prevention software to some of the world’s most security intensive environments that include healthcare organizations, government agencies, defense contractors, pharmaceutical companies, academic institutions, financial and legal firms in over 100 countries.

If you’d like to trial the DeviceLock DLP Suite for 30 days, please visit our website at: For more information on DeviceLock’s DLP solutions, call us at 925-231-4400 or email to us.sales (at) to talk to one of our endpoint security specialists.