ACTION STEPSĮmployers that are subject to HIPAA should become familiar with the OCR’s checklist and other guidance for preventing and responding to cyber security breaches involving PHI.
This document outlines those steps and provides general information regarding which entities are subject to HIPAA and the type of data that must be protected under the law. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach. It also recommended that the clinic tell all affected individuals about the ransomware breach, and that the company follow privacy best practices, including restricting personal devices from accessing the database.Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
#HIPA RANSOMWHERE ATTACK PRO#
The privacy commissioner recommended that Pro Sport only collect heath-care numbers of clients where the care provided is paid for by the public system, and destroy all health services numbers in its database that aren't required. "Many citizens in Saskatchewan may not know if the personal health information entrusted to their health-care provider is protected by HIPA," wrote Kruzeniski.
health minister considering beefing up privacy rules The privacy commissioner said he had brought the issue up to the provincial government many times in the past, but private clinics remain outside of the privacy law. "As a result, citizens do not have the same access and privacy rights and protections with respect to their personal health information." "The fact that corporations that provide health services in Saskatchewan, such as Pro Sport, are not covered by the definition of trustee in HIPA is wrong," wrote commissioner Ronald Kruzeniski in his report. Exclusion of private clinics 'wrong': commissioner However, because the clinic is private, it isn't included in Saskatchewan's Health Information Protection Act (HIPA), despite the wishes of the privacy commissioner.
In an investigation by the privacy commissioner, Pro Sport said names, addresses, phone numbers and health-care numbers were included in the database and affected by the cyberattack. The patient information in the database was encrypted and held for ransom by hackers.Īs soon as the attack happened, the clinic's owners called the Saskatchewan Information and Privacy Commissioner to seek guidance. In October, Pro Sport Rehab and Fitness was targeted by a ransomware attack on its medical record database. Ronald Kruzeniski, Saskatchewan Information and Privacy Commissioner Many citizens in Saskatchewan may not know if the personal health information entrusted to their health-care provider is protected by HIPA. A cyberattack against a Saskatoon sports rehab clinic has raised questions about how private clinics in Saskatchewan should handle personal information.