There’s a loophole in Health and Human Services requirements for health care facilities to report cyberattacks and hospitals and health care centers are taking full advantage of it.

How does this happen? According to a Wall Street Journal report, if client medical or financial data are locked away by ransomware in an attack and have not been publicly exposed, the attack need not be reported.

The trouble with this is medical facilities, even if they pay the ransom, can be shut out of the data for weeks — as happened to Maryland’s MedStar Health, as it took three weeks to get everything up and running — with doctors taking notes by hand and lab results coming in late.

Recommended For You

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.