Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) in a letter to the Department of Health and Human Services encouraged the agency to develop guidance for healthcare providers to use when responding to ransomware attacks.
Devin McGraw, Deputy Director for Health Information Privacy in the Health and Human Services Office for Civil Rights, highlighted this issue in her keynote address in April at the 2016 Cybersecurity and Privacy Protection Conference. She emphasized that covered entities bear the burden of demonstrating that a ransomware attack did not also result in activity that would constitute a data breach. The approach urged by Reps. Lieu and Hurd goes even further by treating every attack as a reportable breach. You can read the full text of the letter here.