For some insurance agencies, benefit plan administration firms and law firms, ransomware infections could lead to trouble with federal regulators as well as demands for cash from the ransomware issuers.
Officials at the Office for Civil Rights, part of the U.S. Department of Health and Human Services, talk about ransomware compliance issues in a new batch of "guidance," or semiformal advice.
Recommended For You
Organizations that hold people's health information should take HHS data defense requirements and incident response planning requirements seriously, and they should be ready for ransomware attacks before the attacks start, officials say in the guidance.
If an organization notices that it's being attacked, it "must initiate its security incident and response and reporting procedures," officials say.
This is the year when 'ransomware will wreak havoc' on America's infrastructure community, ICIT warns.
The civil rights office uses a four-factor process to decide whether the risk that an incident has breached health data is high. Some common health data protection strategies, such as encrypting the data, may not do much to protect the data against ransomware, officials say.
If, for example, all that's protecting health information on a ransomware-infected laptop is full disk encryption, "a breach is presumed," officials say.
The Health Insurance Portability and Accountability Act of 1996 requires a company affected by a breach to notify the HHS secretary, and to warn the people whose records were breached "without unreasonable delay."
If a breach affects more than 500 people, the affected company must alert the media.
Civil rights office officials aimed the new advice at companies and nonprofit organizations that have to comply with the HIPAA Security Rule.
The civil rights office developed the HIPAA Security Rule to set standards for protecting people's health information from hackers, stalkers and others who have no right to see the information. Regulators classify hospitals and health insurers as "covered entities" for purposes of health data security. Regulators apply similar rules to the covered entities' business associates.
The list of business associates includes health insurance agents and brokers, many health plan administrators, and some agents who sell medically underwritten products other than major medical insurance.
In some cases, federal regulators may classify law firms that advise insurers, hospitals or other HIPAA covered entities as business associates.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Allison Bell
Allison Bell, a senior reporter at ThinkAdvisor and BenefitsPRO, previously was an associate editor at National Underwriter Life & Health. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached through X at @Think_Allison.
