If you are a healthcare data custodian that is subject to a ransomware attack, you may be required to report the incident to regulators and to those individuals whose information was subject to the attack.
Ransomware attacks typically involve a hacker encrypting user data until the custodian pays a ransom to have the hacker provide a decryption key. The hacker is not necessarily able to view the data.
Part I of the federal Personal Information Protection and Electronic Documents Act (PIPEDA)1 does not apply to health data custodians collecting, using or disclosing personal information in Ontario.2 Instead, healthcare data storage in Ontario is regulated under the Personal Health Information Protection Act, 2004 (PHIPA),3 which the Governor in Council of Canada has deemed to be substantially similar to PIPEDA.4
The PIPEDA regime requires notification to the Privacy Commissioner and individuals whose data has been compromised if a cyberattack creates a real risk of significant harm to the individual. Arguably, a ransomware attack does not create any risk of harm to the party whose data is encrypted if the attacker does not access the information in a decrypted form. Entities subject only to PIPEDA, therefore, may not be obliged to report ransomware attacks.
Unlike the PIPEDA regime, however, under ss. 12(2) and 12(3) of PHIPA, individuals and the Information and Privacy Commissioner must be notified if personal information is “stolen or lost or if it is used or disclosed without authority.” Typically, a ransomware attack does not result in the loss or theft of personal information. The question that arises therefore is whether a ransomware attack results in the disclosure of the personal data.
Some American regulators interpreting similar regulatory regimes consider ransomware attacks to result in a “disclosure”.5 The United States Office of Civil Rights of the Department of Health and Human Services, which is responsible for regulating under the American Health Insurance Portability and Accountability Act, stated in its fact sheet as follows:
When electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.6
The United States Office of Civil Rights requires notification to individuals whose information was encrypted after a ransomware attack unless the custodian had previously properly encrypted the “ePHI” within the recommended guidelines.7
Though Canadian regulators have not issued any similar statement, the United States Office of Civil Rights’ interpretation may be some indication as to whether a ransomware attack will be deemed to be a disclosure under the PHIPA regime.
A healthcare data custodian that fails to comply with PHIPA may be subject to various orders of the Information and Privacy Commissioner under s. 61(1), including orders requiring the organization to cease collecting healthcare data and implement certain information practices.
Further, failure to comply with PHIPA could be used as evidence in related civil claims. Healthcare data custodians that are subject to a cyberattack may be held liable under common law causes of action, including torts for invasion of privacy.8 Such organizations may be particularly vulnerable to liability from a cyber breach based on claims that the organization has a fiduciary duty to those individuals whose information is stored and therefore has a heightened duty of care.
In order to minimize repercussions on the regulatory front or from potential civil claims, organizations that store healthcare data and are subject to a ransomware attack, should consult counsel to understand their reporting and notification obligations.9