Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Nuance: NotPetya Attack Was Not a Reportable Health Data BreachMedical Transcription Services Vendor Explains Decision to Customers
Nuance, which was seriously impacted by the NotPetya malware attack in June, has issued an unusual public letter to customers explaining why the medical transcription services vendor has decided not to report the security incident to federal regulators as a health data breach.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The Department of Health and Human Services last year issued guidance that instructs covered entities and business associates that in most cases, ransomware attacks result in HIPAA breaches that must be reported to HHS' Office for Civil Rights.
However, in its letter to customers, Nuance lists the reasons why the company has determined that the incident doesn't need to be reported to OCR as a HIPAA breach. Most notably, Nuance asserts, "the NotPetya malware actually was not ransomware," citing Homeland Security's U.S. Computer Emergency Readiness Team "and other relevant U.S. government agencies."
No Impact to PHI?
In its letter, Nuance tells customers, NotPetya, "was not designed to give its perpetrators any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems."
The company adds, "the malware was not designed to allow any unauthorized party to view any file contents including electronic protected health information on affected systems ... not designed to copy or extract any file contents ... not designed to target the types of files in which Nuance stores ePHI"
Nuance adds: "Accordingly, based on facts presently known, while Nuance has determined that the incident constitutes a security incident for purposes of the HIPAA Security Rule, Nuance also has determined the incident does not constitute a breach of unsecured PHI for purposes of the breach notification rule."
The vendor says it is keeping its healthcare customers advised "as a courtesy and to fulfill any business associate agreement obligations Nuance may have to you to provide notice in the event of a security incident."
While Nuance contends in its letter that the NotPetya attack did not result in a breach of ePHI that must be reported to regulators, the company has acknowledged that the disruption to the medical transcription services it provides to healthcare organizations caused by the malware attack is also impacting the vendor's bottom line.
On July 21, the Waltham, Massachusetts-based company issued a financial statement warning Wall Street analysts that its fiscal 2017 third and fourth quarter revenue and earnings results would be negatively impacted by the June 27 ransomware attack (see Nuance Latest NotPetya Victim to Report Financial Impact).
In a separate statement issued on July 28, Nuance said it has brought back on-line the majority of its client base for its flagship eScription LH platform, restoring 75 percent of clients, "which account for approximately 90 percent of the total annualized volume of [medical transcription] lines that are transcribed on that platform."
Nuance isn't the only healthcare sector company that has admitted that the NotPetya attack is taking a toll on its financial results.
Pharmaceutical giant Merck on July 28 warned financial analysts that disruption caused by NotPetya to Merck drug production operations is expected to hurt the company's profits for the rest of the year, according to a report by news wire service Reuters.
Neither Nuance nor Merck immediately responded to Information Security Media Group's request for comment.
Security Incident vs Breach
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the public letter from Nuance to its customers that explains step-by-step why the company decided against reporting the NotPetya attack as a health data breach to OCR is a rare move.
"It clearly is unusual to announce the decision not to provide notice. That doesn't in any way mean it is wrong, just that it is uncommon - and I can't recall seeing this before," he says.
"My presumption - and that is all it is - is that this was a discussion between this company and its customers, with the customers agreeing that this was a reasonable approach. It does seem odd - given what they say the facts are - to notify some group of individuals about this situation. There is a real question of what purpose would be served by giving this notice," Nahra adds.
Attorney David Holtzman, vice president of compliance at security consultancy CynergisTek notes, "generally, the business associate agreement required by the HIPAA Security Rule must contain provisions that the contractor report to the covered entity security incidents that impact the confidentiality, availability or integrity of electronic protected health information created, stored or transmitted by their information systems." In this case, the public letter "seems meant to fulfill Nuance's obligations as a business associate to provide a report to its customers of a security incident," Holtzman says.
Because Nuance is a business associate under HIPAA, Nahra notes that the company needed to sort through "what their obligations under the law; and what are their obligations to their customers under their business associate agreements."
Holtzman says "Nuance is taking an interesting approach to communicating with its customers concerning their reporting of the security incident ... I think we will be looking at Nuance's handling of this incident for some time to come as a learning tool for a vendor's response to malware attacks that cripple your ability to maintain normal service levels to large numbers of health care organizations."
In July 2016, OCR issued guidance for covered entities and business associates, instructing them that in most cases ransomware attacks are reportable HIPAA breaches.
Nahra notes that "the HHS guidance on reporting this kind of breach tilts towards [providing breach] notice - in more situations than I might have suggested - but this one, assuming [Nuance's] facts are right, does seem to make sense not to go the extra step of [providing] individual notice" to each patient whose records were potentially impacted by the disruptions caused by NotPetya, he says.
While Nuance asserts that the NotPetya malware is not ransomware, relatively few ransomware-related breaches have been posted to OCR's HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - which lists reports of health data breaches impacting 500 or more individuals.
Some privacy and security experts say that could be because of lingering uncertainty about whether these ransomware and other malware related incidents indeed result in compromises to protected health information that require reporting to federal regulators.