Taft: Data breach tips and recovery plans for health care

July 12, 2017
Back to TopCommentsE-mailPrintBookmark and Share
Sharpe Sharpe

By John Sharpe and Kim Rhoades

In May, “WannaCry” ransomware attacked nearly 150 countries. In June, the “Petya” virus spread over the globe in a matter of hours (initially thought to be a ransomware attack; at the time of this writing some are theorizing that Petya was a disguised cyberwar attack). The health care industry was not immune to these attacks and many hospitals in England were affected. WannaCry locked doctors out of patient files and disrupted operating schedules, potentially endangering lives.

The federal government has issued information and guidance that impacts Medicare and Medicaid health care providers. In response to the WannaCry incident, U.S. Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness & Response issued an update specifically addressing the threat of ransomware attacks to health care organizations. The update includes a link to a previous ASPR “TRACIE” newsletter focused on cybersecurity and cyber hygiene. In June, HHS ASPR issued the report from the Health Care Industry Cyber Security Task Force.

In addition, on June 2, HHS’s Centers for Medicare and Medicaid Services issued guidance impacting multiple provider and supplier types eligible for participation in Medicare. It requires providers and suppliers to develop and maintain a comprehensive emergency preparedness program covering a variety of hazards, including cyberattacks.

Rhoades Rhoades

Here are some brief tips from those ASPR materials for those entities that operate in the health care field.

Slow down

The most common delivery mechanism for a ransomware attack is through a malicious file attached either through a link or attachment. The file may contain hidden extensions that contain executable files or lead you to a malicious website. This is a frequent warning, but the best defense is to train your employees to be wary. Only open emails you are expecting from people you know. If you receive an attachment or a link from a colleague that you were not expecting, before opening, take a minute and call to verify. Malicious actors count on you acting quickly without thinking. Stop before opening something if you are not 100 percent certain of the source.

Keep up to date

WannaCry was addressed by a Windows security patch weeks before the current attack. Patched systems were not infected. Keeping your system up to date and properly patched can prevent a nightmare scenario.

Post-attack response

If you are a victim, HHS recommends that your contact your local FBI field office immediately to report the attack and request assistance. HHS further recommends that your organization report the incident to the United States Computer Emergency Readiness Team and FBI Internet Crime Complaint Center. A ransomware attack can have HIPAA implications.

An attack on a health care organization is considered a reportable breach unless the organization can prove the data was encrypted or otherwise unreadable. If the organization cannot show this, then the breach must be reported within 60 days of discovering the attack. Failure to adhere to this timeline has resulted in a major fine under HIPAA on at least one organization. A breach response cannot be forgotten in the chaos and must be handled within the required timeframe.

Health care providers have invested substantial resources over the last two decades developing and implementing electronic systems for managing patients, treatments, data and records. Now protocols are needed to manage these activities if the technology becomes inaccessible. How each provider prepares will be specific to its services and supplies, but each response plan must include the following:

1. A multidisciplinary response team. At a minimum, the team should include:

• A leader (directs and facilitates activities)

• A logistics coordinator (administratively supports the team)

• Communications (coordinates all internal and external communication)

• Legal/regulatory (legal and compliance recommendations)

• IT (provides incident impact information and updates to resecuring the data)

• Operations (provides operational and financial impact information).

There are a growing number of lawyers who are bilingual (speak tech and law!) who can help bridge any communication gaps among members of the team.

2. Incident notification. The plan should describe the who, what, when and how a cyber-incident should be reported to management and law enforcement as well as identify the external stakeholders and the timeframe for sending notification to them. The following resources provide information about the legal reporting requirements:

•    HIPAA Breach Notification Rule
•    HHS HIPAA Breach Notification Form
•    Complying with the FTC’s Health Breach Notification Rule

3. Investigations. The plan should provide for a forensic investigation to identify how the breach occurred, how the damage can be minimized and how similar attacks can be prevented in the future. Coordination with law enforcement should be addressed. Depending on the facts and complexity of the case, assistance from an outside firm may be advisable.

4. Internal communications. Employees need to receive clear and consistent messages to minimize rumors and uncertainties. Details of what occurred may not be available, but the initial communication should let staff know of the issue and remind them of applicable policies and procedures concerning confidentiality, contact with media and record retention. The plan should also identify timelines for internal and external communications.

5. Media communications. Internal or external media relations experts should be consulted to design the talking points which accurately but succinctly describe the nature of the breach, the potential harm and recommended actions.

6. Remediation. Once the investigation is complete and the cause and impact identified, the response plan needs to address steps to eliminate a recurrence and reduce the harmful impact to victims. The remediation portion of the plan should address:

• Updating software, policies and procedures implicated in the breach investigation.

• Training staff or retraining on preexisting protocols on data, privacy and security that were not followed and consequences for the failure to follow the protocols.

• Securing privacy or credit monitoring services for victims.

• Establishing a process and timeframe for regular audits of the security and data protection systems, including detection exercises with a third party.

• Debriefing and analyzing the preparation and pre-attack drills to identify if staff were adequately prepared to carry out essential services during the event.

Extra Resources

The following resources provide additional guidance:  
•    Ransomware Q & A
•    Current information on attack
•    Indicators Associated with WannaCry Ransomware 
•    Additional Information on Ransomware
•    ASPR Cyber Threat to Healthcare Organizations Update
•    HHS Update #3: International Cyber Threat to Healthcare Organizations
•    Request an unauthenticated scan of public IP addresses from DHS: Contact them for more information at


• John Sharpe and Kim Rhoades are health care attorneys at Taft Stettinius & Hollister LLP. They can be reached at and The opinions expressed are those of the authors.


Post a comment to this story

We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
You are legally responsible for what you post and your anonymity is not guaranteed.
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
Subscribe to Indiana Lawyer
  1. He TIL team,please zap this comment too since it was merely marking a scammer and not reflecting on the story. Thanks, happy Monday, keep up the fine work.

  2. You just need my social security number sent to your Gmail account to process then loan, right? Beware scammers indeed.

  3. The appellate court just said doctors can be sued for reporting child abuse. The most dangerous form of child abuse with the highest mortality rate of any form of child abuse (between 6% and 9% according to the below listed studies). Now doctors will be far less likely to report this form of dangerous child abuse in Indiana. If you want to know what this is, google the names Lacey Spears, Julie Conley (and look at what happened when uninformed judges returned that child against medical advice), Hope Ybarra, and Dixie Blanchard. Here is some really good reporting on what this allegation was: Here are the two research papers: 25% of sibling are dead in that second study. 25%!!! Unbelievable ruling. Chilling. Wrong.

  4. Mr. Levin says that the BMV engaged in misconduct--that the BMV (or, rather, someone in the BMV) knew Indiana motorists were being overcharged fees but did nothing to correct the situation. Such misconduct, whether engaged in by one individual or by a group, is called theft (defined as knowingly or intentionally exerting unauthorized control over the property of another person with the intent to deprive the other person of the property's value or use). Theft is a crime in Indiana (as it still is in most of the civilized world). One wonders, then, why there have been no criminal prosecutions of BMV officials for this theft? Government misconduct doesn't occur in a vacuum. An individual who works for or oversees a government agency is responsible for the misconduct. In this instance, somebody (or somebodies) with the BMV, at some time, knew Indiana motorists were being overcharged. What's more, this person (or these people), even after having the error of their ways pointed out to them, did nothing to fix the problem. Instead, the overcharges continued. Thus, the taxpayers of Indiana are also on the hook for the millions of dollars in attorneys fees (for both sides; the BMV didn't see fit to avail itself of the services of a lawyer employed by the state government) that had to be spent in order to finally convince the BMV that stealing money from Indiana motorists was a bad thing. Given that the BMV official(s) responsible for this crime continued their misconduct, covered it up, and never did anything until the agency reached an agreeable settlement, it seems the statute of limitations for prosecuting these folks has not yet run. I hope our Attorney General is paying attention to this fiasco and is seriously considering prosecution. Indiana, the state that works . . . for thieves.

  5. I'm glad that attorney Carl Hayes, who represented the BMV in this case, is able to say that his client "is pleased to have resolved the issue". Everyone makes mistakes, even bureaucratic behemoths like Indiana's BMV. So to some extent we need to be forgiving of such mistakes. But when those mistakes are going to cost Indiana taxpayers millions of dollars to rectify (because neither plaintiff's counsel nor Mr. Hayes gave freely of their services, and the BMV, being a state-funded agency, relies on taxpayer dollars to pay these attorneys their fees), the agency doesn't have a right to feel "pleased to have resolved the issue". One is left wondering why the BMV feels so pleased with this resolution? The magnitude of the agency's overcharges might suggest to some that, perhaps, these errors were more than mere oversight. Could this be why the agency is so "pleased" with this resolution? Will Indiana motorists ever be assured that the culture of incompetence (if not worse) that the BMV seems to have fostered is no longer the status quo? Or will even more "overcharges" and lawsuits result? It's fairly obvious who is really "pleased to have resolved the issue", and it's not Indiana's taxpayers who are on the hook for the legal fees generated in these cases.