The U.S. Department of Health and Human Services (HHS) announced that ransomware attacks against covered entities or their business associates likely constitute security breaches that must be reported to HHS, affected individuals, and the media under the Heath Insurance Portability and Accountability Act (HIPAA) Security Rule.  The announcement included guidance issued by HHS’s Office of Civil Rights on actions entities should take to prevent, detect, and respond to ransomware attacks.  This guidance should be of interest to organizations beyond health care providers and their business associates, since it could be relied on by state regulators in determining whether a company that suffered a ransomware attack should have notified customers and regulators.