Skip to Content

WannaCry Ransomware Attack: a Reminder of the Need for Robust Data Security

on Wednesday, 7 June 2017 in Health Law Alert: Erin E. Busch, Editor

Sometime around May 16, 2017, the WannaCry “ransomworm” began propagating throughout the world, hitting the British national health system the hardest.  Several hospitals around Britain had to cancel critical surgeries because WannaCry had encrypted medical records, making them unreadable to hospital staff.  The ransomware asks for about $300 in Bitcoin in exchange for the decryption key.

What is perhaps the most frustrating aspect of the WannaCry attack is that it was entirely avoidable.  The attack exploited a Windows vulnerability for which Microsoft had released an update in March 2017.  The affected computers had either not been updated or were running Windows XP, an older operating system which Microsoft had stopped supporting.  Microsoft did, however, in a rare move, release an update to mitigate the vulnerability for Windows XP.

WannaCry highlights the need for organizations to have robust security policies and training, with incident response plans.  Keeping the IT environment updated is critical, as are continued reminders to individuals that they should not click on suspicious links embedded within emails.

Health systems should take note that the Office of Civil Rights (“OCR”) deems a ransomware attack to be a reportable breach because it is an “acquisition” of ePHI and “thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”   To overcome the presumption of a breach, covered entities must determine that there was a low probability of compromise by assessing the following four factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Covered Entities have 60 days from when they knew or should have known of the breach to determine whether or not it is reportable—thus, having an effective incident response plan is imperative.

An estimated 70-80 percent of successful cyberattacks use simple exploits that can be countered with an effective information security program that includes training regarding phishing and social engineering.  It is also important to test disaster recovery plans to make sure critical data can be restored if it is encrypted by ransomware.

Finally, it is important to engage legal counsel to help you determine your legal obligations if you are the victim of a successful cyberattack.

Justin W. Firestone


1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500