Health systems use OCR loophole to forgo breach reporting following a ransomware attack

Several health systems were victimized by high-profile ransomware attacks last year that led to operational complications, but you won’t find their names on the federal data breach portal.

That’s because healthcare entities are taking advantage of a regulatory loophole that gives them some wiggle room when it comes to reporting a ransomware data breach to the Department of Health and Human Services, according to the Wall Street Journal.

RELATED: HHS is considering changes to OCR’s 'wall of shame'—and experts are divided on the impact

Maryland-based MedStar Health took three weeks to recover after a ransomware attack shut down the organization's IT systems last year. Around the same time, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to obtain a decryption key following an attack.  

Neither organization is listed on the HHS Office for Civil Rights’ (OCR) breach portal, often called the “wall of shame.” In guidance released last year, OCR said organizations infected with ransomware must report the incident unless there’s a “low probability” that patient data has been compromised. It appears healthcare organizations have been using that gray area to limit reporting since data is often immediately encrypted during most ransomware attacks.  

But that approach may not align with the original intent of the guidance. Last year, former OCR Director Jocelyn Samuels said the OCR guidance “makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPPA Breach Notification Rule.”

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

Two congressmen from California and Texas want HHS to require hospitals to report ransomware attacks, according to WSJ. At the same time, Rep. Michael Burgess, M.D., R-Texas, is pushing HHS to relax its approach to the "wall of shame," arguing that it is unfairly punitive.

Last week, FierceHealthcare reported that HHS is considering changes to the breach portal that might reduce the amount of time entities are required to be listed on the website. Privacy experts are split on the impact that might have on threat sharing.