NotPetya Attack on Nuance Communications Not Reported to OCR

The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations.

In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

A ransomware attack is designated as a HIPAA breach because the actions of the hackers have lead to the acquisition of PHI, in the sense that unauthorized people have taken control of the data.

The only time that an official violation report – and notifications to patients – would not be necessary if the covered organization can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered organizations can make that determination after a risk assessment has been completed, basing the decision on the nature of PHI involved, who used the PHI or to whom PHI was released, whether PHI was actually seen or acquired and the extent to which risk has been controlled.

However, what about the NotPetya ransomware attacks that happened recently? Many groups were attacked, including some healthcare organizations in the United States that are HIPAA covered entities. One of those groups is Nuance Communications, a business partner of several healthcare providers.

Nuance Communications has previously revealed it had been attacked with NotPetya, and severely. Almost three weeks after the attack, only 75% of its clients had regained access to its I.T. systems. The disruption to business services has been massive.

Since Nuance Communications stores PHI, the incident would appear to necessitate a breach notice to be filed to OCR and for affected people to be warned. However, the decision was taken not to report the incident or to issue notification letters.

Author: Maria Perez