Allscripts ransomware attack; the implications for providers and patients.

Allscripts stated position on the successful ransomware attack it experienced on January 19th

“We are investigating a ransomware incident that has impacted a limited number of our applications. We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected.  Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.  We regret any inconvenience caused by this temporary outage.” https://www.healthcare-informatics.com/news-item/cybersecurity/allscripts-acknowledges-ransomware-attack-says-impact-limited.

Ransomware & HIPAA…

While well and good, the statement does not address a fundamental issue as to the ramifications of this security incident under the HIPAA regulations.  In July 2016, OCR issued guidance on ransomware as a breach https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf stating that “

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.”

Due diligence is beyond necessary…

So whether this incident is in fact a breach is fact specific.   But as a breach, will impact each of the organizations involved, and their patients.  It would be helpful if Allscripts were to provide additional information so customers could assess their liability.  Additionally, in the current era of prolific cybercrime, it is only good citizenship.