June 28, 2016
Press Release


WASHINGTON - Today, Representatives Ted W. Lieu (D | Los Angeles County) and Will Hurd (R | San Antonio) sent a letter to Deven McGraw, Deputy Director of the Office of Civil Rights of the Department of Health and Human Services (HHS) encouraging the office to focus on developing guidance for health care providers to respond to ransomware attacks under the disclosure and reporting requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act  and Health Insurance Portability and Accountability Act (HIPAA).

The letter urges the Office of Civil Rights to treat ransomware attacks as breaches under HITECH regulations and encourages regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected. As noted by the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, four in ten healthcare organizations are worried about ransomware attacks. This letter also strongly encourages rapid and mandatory notification of government agencies and cyber-response resources in order to stop widespread attacks and coordinate responses.

I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches.  The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can’t access patient information.  For example, in March 2016, MedStar was turning away patients due to a ransomware attack.  If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible. We should encourage information about the attack to be shared with both the government and Information Sharing and Analysis organizations in order to prevent the spread of the attack to other providers.”

The full text of Mr. Lieu & Mr. Hurd’s ransomware letter