HIPAA and Ransomware: Prevention, Response, and Breach Notification

Ransomware is different from most HIPAA security topics because the Office for Civil Rights has been explicit about it: when ransomware encrypts electronic protected health information (ePHI), that encryption is a “disclosure” not permitted under the Privacy Rule, and it is presumed to be a reportable breach unless the entity can demonstrate a low probability that PHI was compromised. In other words, a ransomware attack does not have to exfiltrate a single record to trigger HIPAA breach notification duties. That presumption is what makes ransomware a compliance problem and not just an IT problem.

Why Ransomware Is Treated as a Presumed Breach

Under OCR guidance, the act of malware encrypting ePHI means an unauthorized party has acquired or controlled that data, which meets the definition of a breach. The covered entity or business associate must then perform a four-factor risk assessment, considering the nature of the PHI involved, who accessed it, whether it was actually viewed or acquired, and the extent to which the risk has been mitigated. Unless that assessment shows a low probability of compromise, the organization must notify affected individuals, the Secretary of Health and Human Services, and in larger incidents the media. This is a meaningfully higher bar than many practices assume.

Prevention: The Controls That Actually Reduce Ransomware Risk

Most ransomware enters through phishing, unpatched software, or exposed remote-access services. The defenses that matter most are tested, offline or immutable backups so you can recover without paying; multi-factor authentication on email and remote access; prompt patching; network segmentation so an infection cannot spread to every system holding ePHI; and ongoing staff training on phishing. Encryption of ePHI at rest also helps, though it does not by itself defeat ransomware, since the attacker encrypts the data on top of your encryption. Running through a structured HIPAA compliance checklist is a practical way to confirm these controls are in place rather than assumed.

Response: The First Hours Matter

When ransomware hits, isolate affected systems immediately to stop spread, preserve forensic evidence rather than wiping machines, activate your incident response plan, and begin the breach risk assessment in parallel. The HIPAA breach notification clock is tight: affected individuals must generally be notified without unreasonable delay and no later than 60 days from discovery. Decisions about whether to pay a ransom carry their own legal and OFAC sanctions considerations and should involve counsel, not just IT.

Start With a Security Risk Analysis

Ransomware preparedness is impossible without knowing where your ePHI lives and how it is protected. The Security Risk Analysis required at 45 CFR ยง 164.308(a)(1)(ii)(A) is exactly that inventory: it identifies every system and vendor that touches ePHI, evaluates the threats to each, and surfaces the backup, access, and patching gaps that ransomware exploits. A current SRA is also one of the first documents OCR requests after a ransomware incident, so its absence compounds the problem. Our HIPAA risk assessment guide walks through what a defensible analysis includes.

The Proposed 2026 Security Rule Update

The Notice of Proposed Rulemaking published by OCR in December 2024 would directly raise the bar on ransomware resilience. It proposes making controls such as multi-factor authentication, encryption, and network segmentation effectively mandatory, and adds explicit requirements around contingency planning and data recovery. The NPRM is a proposal, not final law, and organizations would have a 240-day compliance window after any final rule is published. Practices that harden their backup and access controls now will be ahead of those requirements.

How Medcurity Helps

Medcurity guides healthcare organizations through the Security Risk Analysis that underpins ransomware preparedness, helping you document where ePHI lives, identify gaps in backups and access controls, and track remediation in an audit-ready format. Pricing is $499/year (about $42/month) for a single organization; larger organizations can request a quote.

Frequently Asked Questions

Is a ransomware attack always a HIPAA breach?

It is presumed to be a breach when ransomware encrypts ePHI. The organization can rebut that presumption only by showing, through a four-factor risk assessment, a low probability that the PHI was compromised. Otherwise breach notification is required.

Do we have to report if we restored from backup quickly?

Fast recovery is a mitigating factor in the risk assessment, but it does not automatically remove the notification duty. You still must document the analysis showing why the probability of compromise was low.

What is the HIPAA deadline to notify after a ransomware breach?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery of the breach. Breaches affecting 500 or more individuals also require prompt notice to HHS and the media.

Does paying the ransom satisfy HIPAA obligations?

No. Paying a ransom does not eliminate breach notification duties and may raise separate legal and sanctions concerns. The HIPAA analysis and notification requirements apply regardless of whether a ransom is paid.