Case Study: Ransomware Breach and OCR Investigation

An office-based, healthcare practitioner suffered a ransomware attack that encrypted patient information on the practice’s servers. Based on the Health and Human Services’ guidance on Ransomware, the practitioner investigated the security incident and determined it to be a breach. The practitioner followed the Breach Notification Rule and notified patients, the media, and the Secretary of Health and Human Services.