Skip to main content

Preserving evidence is vital in a ransomware attack

Updated August 8, 2023

By Adrian P. Senyszyn, JD

A ransomware attack is pretty much what it sounds like — data held ransom. In these attacks, cyber criminals use software (ransomware) programmed to take control of and encrypt the data in a victim’s computer. (1) The criminals then threaten to destroy the data unless the victim pays a ransom.  And health care professionals are now the preferred targets of these attacks.

In 2022, Texas and California tied for the second greatest number of large data breaches in health care. (2) According to the U.S. Department of Health & Human Services (HHS), 24 percent of reported large data breaches involved ransomware. (3)

It is important to have a plan in place of what to do before you become a target. Once targeted in a ransomware attack, it is vitally important to immediately report the incident to your cyber liability insurer who will arrange the necessary resources, such as, a cyber attorney and forensics firm. 


In 2016, the U.S. Office for Civil Rights (OCR), issued guidance stating “[o]nce a ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures” and “document security incidents and their outcomes.” (3) The OCR considers ransomware attacks to be security incidents, which require covered entities to demonstrate “…that there is a low probability that the PHI has been compromised.” (4)

However, after a ransomware attack, it can be difficult to satisfy that requirement and properly demonstrate the low probability that your electronic protected health information (ePHI) was compromised. There are no published cases or guidelines from the OCR describing what evidence is necessary, and the OCR may determine that your risk assessment does not provide a “reasonable conclusion.” (4)

Determining whether a ransomware-related breach occurred becomes more difficult when a provider fails to accurately investigate and document the incident. Often the best evidence that could have been documented is wiped clean from the server or infected computer while repairing the ransomware damage. Preserving evidence to help you prove a low probability of compromise to ePHI should be a main goal for you or your IT staff after a ransomware attack.


Providers can take steps following an attack to help preserve evidence, which may help them meet their burden of proof and conclude that there was a low probability of compromise to ePHI. You can help protect evidence by following these best practices:

Immediately disconnect. Ask your IT company or staff to disconnect your network from the Internet immediately. Large amounts of data take time to download. The more quickly your system is disconnected from the internet, the less likely it is that information was compromised. Do not shut down the device affected, as this may destroy forensic data.

Immediately contact your medical professional liability carrier. Call your carrier to find out if you have cyber liability insurance. This insurance normally covers the costs of ransomware removal, forensic investigation, breach notification, OCR investigation, and fines and penalties. If you do not have cyber liability insurance, ask for references of reputable attorneys who handle such cases. Purchase cyber insurance for the future, if you do not already have it.

Immediately retain a lawyer who has handled HIPAA incidents. If you have cyber liability insurance, an attorney will be assigned within hours or days of your report. If you do not have cyber liability insurance, ask your insurance company for the names of reputable attorneys experienced with HIPAA and cyber liability insurance. Retain one immediately so they can coordinate with your IT staff or vendor.

Investigate and document immediately. Once IT staff is on site, let them check your computers and servers. Make sure IT staff accurately document their findings in an incident report that should be signed and dated. Screenshots or photographs taken by cell phones can help document evidence.

Determine the scope of the incident by identifying and documenting which networks, systems, or applications were affected; the name of the virus or malware; and the origin of the incident or vulnerability that caused it. Staff should document information related to the attack in separate incident reports that are signed and dated.

Do not wipe and rebuild your network. Erasing your servers and computers and restoring your information with clean back-up data can seem appealing. But don’t do it before thoroughly investigating and documenting the incident. By wiping the malware from your system, you are likely destroying the evidence that proves the ransomware did not exfiltrate data to cyber criminals. You also should consider whether a forensic investigation of your computers and servers would be appropriate.

Immediately hire an IT company specializing in ransomware remediation. If you have cyber liability insurance, an IT company specializing in ransomware removal will be assigned to remove the virus from your system. Once the IT company removes the virus, a forensic investigation can be performed, if appropriate. Computer forensic companies are very specialized, and not all IT companies have the skill or experience to perform a forensic analysis.

Consult your practice’s security policies and procedures. Your medical practice should have HIPAA Privacy and Security policies and procedures in place. If you do not have these policies and procedures, please contact your insurance carrier or a reputable attorney who can help you begin using a set of policies and procedures tailored to your office. Review your policies for guidance and forms related to incident reporting and assessing risks. Provide your policies and procedures to your attorney.

Have a security risk assessment done to your network within two weeks. It is very important to identify and correct all vulnerabilities that may have caused the incident. Once the ransomware is removed, have an independent company perform a risk assessment of your network. Your medical liability carrier should know reputable IT vendors who can help you. If you have not had an independent security risk assessment performed in the past year, I highly recommend having one performed based on the recent evolution of cyber threats.

Identify and correct vulnerabilities within 30 days. As part of your efforts to mitigate the harm from the attack, and to show diligence in correcting the vulnerability and protecting patient information, make all corrections identified by the security risk assessment within 30 days of the incident. Document all corrections and any sanctions issued.

Paying the ransom demand? Avoid paying the ransom if possible. Although experts do not condone paying a ransom demand, they have acknowledged — depending upon the circumstances — that some practices are left with a tough business decision. If you cannot restore your critical operational data from a recent data backup or decrypt your corrupted files using a third-party decryption tool, you may want to negotiate and pay the ransom (usually a Bitcoin payment) as a last resort. There is no guarantee the hacker will give you the decryption key, but in many cases they do. There also is no guarantee that all of your data will be restored from the damaging effects of the virus.

For more information on cyber liability coverage and cyber risk management resources, please contact Cathy Bryant at TMLT at or

To report a cyber claim, please contact TMLT at 800-580-8658.


1. Typical ransomware software uses RSA 2048 encryption to encrypt files. To illustrate how strong this encryption is, it would take the average desktop computer around 6.4 quadrillion years to crack an RSA 2048 key. From Ransomware: Hostage Rescue Manual. Available at KnowBe4 2016. Accessed August 8, 2023.

2. Alder S. 2022 Healthcare Data Breach Report. The HIPAA Journal. January 24, 2023. Available at Accessed August 8, 2023.

3. Rainer MF. U.S. Office for Civil Rights Update and 2023 Priorities. Oral presentation at HIPAA Summit 40. March 7, 2023. Online conference.

4. Department of Health and Human Services Office of Civil Rights. Fact sheet: Ransomware and HIPAA. 2016. Available at Accessed August 8, 2023.

Adrian P. Senyszyn, JD, is a principal at Germer PLLC in San Antonio, Texas. He can be reached at