Ransomware Hit Your Practice: The HIPAA Breach Response Checklist

Ransomware in Healthcare: Why OCR Presumes It Is a Breach

Ransomware is not just an IT problem — it is a HIPAA compliance event with strict reporting obligations. In July 2016, the HHS Office for Civil Rights published guidance establishing that a ransomware attack on a system containing electronic protected health information (ePHI) is presumed to be a reportable breach under 45 CFR §164.402. The encryption of ePHI by a malicious actor constitutes an unauthorized “acquisition” of that data because the attacker has taken possession or control of it.

This means the burden is on your practice to demonstrate, through a documented risk assessment, that there is a low probability the PHI was actually compromised. If you cannot meet that burden, notification to affected individuals, HHS, and potentially the media is required.

Hour 1: Containment and Preservation

The first priority is stopping the spread without destroying evidence. Take these steps immediately:

• Isolate affected systems — Disconnect compromised workstations and servers from the network. Do not power them off unless actively spreading. Unplugging the network cable or disabling Wi-Fi preserves forensic evidence while stopping lateral movement.
• Do not pay the ransom — FBI guidance and HHS both advise against paying ransoms. Payment does not guarantee data recovery, may fund criminal enterprises, and does not satisfy your breach notification obligations.
• Preserve evidence — Do not wipe or rebuild systems until forensic imaging is complete. If you do not have in-house forensic capability, contact a qualified incident response firm immediately.
• Activate your incident response team — This should include your Privacy Officer, Security Officer, IT lead, legal counsel, and practice leadership. If you do not have a formal team designated, assemble one now.

Hours 2–24: Assessment and Scoping

Once containment is achieved, begin assessing the scope of the attack. Your incident management documentation should capture:

• Which systems were affected and what ePHI they contained
• How the ransomware entered your environment (phishing email, unpatched vulnerability, compromised credentials)
• Whether there is evidence of data exfiltration — modern ransomware frequently copies data before encrypting it (“double extortion”)
• Whether backup systems were compromised
• The estimated number of patient records affected

Engage a forensic investigator to determine the full extent of the compromise. Their report will be critical for your four-factor risk assessment and any future OCR investigation.

The Four-Factor Risk Assessment for Ransomware

Under 45 CFR §164.402(2), you must conduct the same four-factor risk assessment that applies to any potential breach:

1. Nature and extent of PHI involved: Ransomware that hits your EHR server likely involves the full spectrum of patient data — demographics, SSNs, diagnoses, treatment records, and insurance information. This weighs heavily toward breach.
2. Who gained unauthorized access: The attacker is a criminal actor with malicious intent. This factor almost always weighs toward breach in ransomware cases.
3. Whether PHI was actually acquired or viewed: If forensic analysis shows no evidence of data exfiltration (no outbound data transfers, no evidence the attacker accessed file contents), this factor may weigh in your favor. But the OCR guidance is clear: encryption by the attacker itself constitutes acquisition.
4. Extent of mitigation: Rapid containment, forensic confirmation of no exfiltration, and system restoration from clean backups can support a finding that the risk was mitigated.

In practice, most ransomware incidents will meet the threshold for breach notification. Document your analysis thoroughly regardless of your conclusion — OCR will scrutinize the rigor of your assessment.

Notification Obligations

If the risk assessment determines a breach occurred (or you cannot demonstrate low probability of compromise), the HIPAA breach notification rules require:

• Individual notification: Within 60 days of discovery to every affected individual (45 CFR §164.404). Letters must describe the breach, types of PHI involved, recommended protective steps, and your contact information.
• HHS notification: For breaches affecting 500 or more individuals, report to OCR within 60 days. For fewer than 500, report by the end of the calendar year (45 CFR §164.408).
• Media notification: If 500 or more individuals in a single state or jurisdiction are affected, you must notify prominent local media (45 CFR §164.406).

Ransomware attacks on medical practices frequently affect thousands of records, placing most incidents in the large-breach category with its accelerated reporting requirements.

Reporting Beyond HIPAA

HIPAA notification is not your only obligation. You should also consider:

• FBI / IC3: Report the incident to the FBI’s Internet Crime Complaint Center (ic3.gov). Law enforcement engagement is voluntary but strongly recommended and may provide intelligence about the attacker.
• CISA: The Cybersecurity and Infrastructure Security Agency (CISA) requests reports of ransomware incidents through StopRansomware.gov to support national threat intelligence.
• State breach notification laws: Many states have independent breach notification requirements with different timelines and triggers. Some states require notification within 30 days, which is shorter than HIPAA’s 60-day window.
• Cyber insurance carrier: Notify your carrier immediately. Most policies have strict reporting deadlines, and late notice can void coverage.

Recovery and Remediation

After containment and notification, focus on rebuilding securely:

• Restore from clean backups: Only restore from backups verified to be free of the ransomware. Test restores in an isolated environment before reconnecting to production.
• Patch the entry point: Address the vulnerability the attacker exploited. If it was phishing, implement additional email filtering and conduct targeted workforce training. If it was an unpatched system, establish a patch management cadence.
• Reset all credentials: Change every password across the organization. Implement multi-factor authentication (MFA) on all systems that access ePHI if you have not already done so.
• Update your risk assessment: The ransomware incident is now a documented finding in your security risk assessment. Update the assessment to reflect the attack vector, your response, and the controls you implemented to prevent recurrence.
• Conduct a tabletop exercise: Within 90 days, run a tabletop drill of your updated incident response plan with your full team so the lessons from this event are embedded in practice, not just in a document.

What OCR Wants to See After a Ransomware Incident

When OCR investigates a ransomware-related breach report, they are looking for evidence that your practice had a reasonable security program in place before the attack and responded appropriately after it. Key areas of inquiry include:

• Was a current, comprehensive risk assessment on file before the incident?
• Were technical safeguards (encryption, access controls, audit logging) in place?
• Was workforce security training current and documented?
• Did the practice have a written incident response plan, and was it followed?
• Were notifications sent within the required timelines?

Practices that can demonstrate a mature compliance program before the attack fare significantly better in enforcement outcomes than those that cannot. An audit-ready compliance posture is your best defense against both the attack itself and the regulatory consequences that follow.

Frequently Asked Questions