August 23, 2017

August 22, 2017

Subscribe to Latest Legal News and Analysis

August 21, 2017

Subscribe to Latest Legal News and Analysis

Office for Civil Rights Releases Checklist On What To Do Following A Cyber Attack

Since the WannaCry ransomware virus spread rapidly across the globe, businesses, both large and small, are again focusing on cyber-security. In a previous bulletin, we detailed five things that a business can do to help prevent a cyber-attack. However, in the unfortunate event that your business experiences a cyber-attack affecting protected health information, this bulletin provides guidance from the Department of Health and Human Services Office for Civil Rights ("OCR") regarding what you must do.

On June 8, 2017, OCR released a checklist for covered entities and business associates (together referred to as "entities" herein) to use when responding to a cyber-attack. While some might find the checklist to be very simple, it does two important things:

  • Serves as a reminder that OCR is taking cyber-attacks on protected health information very seriously; and

  • Serves as a further reminder to entity leadership that taking certain steps following a cyber-attack is essential to minimizing the entity’s exposure.

If ever investigated, OCR will consider all of an entity’s mitigation efforts and will certainly begin by making sure an entity "checked all boxes" on the checklist, as appropriate. In short, this checklist provides that entities:

  • Must execute their response and mitigation procedures and contingency plans;

  • Should report the crime to appropriate law enforcement agencies;

  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations; and

  • Must report the breach to affected individuals, OCR and the media, if appropriate, within the prescribed time frames.

© Copyright 2017 Murtha Cullina


About this Author

Stephanie Sprague Sobkowiak, Murtha Cullina, physician group attorney, health care industry legal counsel, hospital regulation compliance lawyer

As the co-chair of the firm's Health Care practice group, Ms. Sobkowiak represents health systems, hospitals, physicians, physician groups and other clients in the health care industry.  Her practice includes assisting those clients with a wide range of compliance, regulatory, managed care, risk management and reimbursement issues, including fraud and abuse, payor contracts, medical staff and credentialing matters, Certificates of Need and HIPAA and related security breaches. 

Ms. Sobkowiak has experience assisting health care clients with a wide variety of contracts, from physician...

Daniel Kagan, Murtha Cullina, health care attorney, regulatory compliance lawyer, reimbursement issue legal counsel

Mr. Kagan is an associate in the Health Care Group of Murtha Cullina.  He represents hospitals, physicians and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues.

Prior to joining Murtha Cullina, Mr. Kagan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court. 

Mr. Kagan received his J.D. with honors from the University of Connecticut Law School where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal.  He earned his Bachelor of Arts in Economics from McGill University.