Main Menu Main Content
06.13.2017

The worldwide WannaCry ransomware attack that began in Europe on May 12, 2017 may still be fresh on your memory. On June 9, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a quick-response checklist for Health Insurance Portability and Accountability Act (HIPAA) Covered Entities and Business Associates who experienced a ransomware attack or other cyber-related security incident. The checklist requires that, in the event of such an incident, the affected entity should:

  • Execute its existing response and mitigation procedures and contingency plans (mandatory);
  • Report the crime to the appropriate law enforcement agencies, which may include state or local law enforcement, the FBI and/or the Secret Service;
  • Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs); and
  • Report the breach to OCR as soon as possible (mandatory). 

The full checklist and an infographic can be found here:
Checklist / Infographic

OCR considers all mitigation efforts taken by the entity during any particular breach investigation, including voluntary sharing of breached-related information with law enforcement agencies and other federal and analysis organizations. As a result, it is important for Covered Entities and Business Associates to understand the procedures on OCR’s checklist.

PDF

Media Contact

Susan M. Kurz
216.622.8346 (office)
513.502.8950 (mobile)
skurz@calfee.com

Subscribe to our Alerts
Jump to Page