Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Healthcare Cybersecurity Q&A: Ransomware and Data Breaches

      Articles

    Article

    Healthcare Cybersecurity Q&A: Ransomware and Data Breaches

    June 3, 2025

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague

    This healthcare privacy Q&A offers legal insights on HIPAA, breach response, vendor contracts, and ransomware preparedness from Nixon Peabody attorney Valerie Montague.

    As ransomware attacks on the healthcare sector continue to rise, organizations face growing legal, operational, and reputational risks. Nixon Peabody Healthcare Privacy attorney Valerie Montague answers common questions about HIPAA compliance, breach notification, and how to prepare for and respond to cybersecurity incidents.

    What should we do if our healthcare organization is hit by ransomware?
    If protected health information (PHI) is encrypted or accessed without authorization, it may be considered a reportable breach under HIPAA. Simultaneous with a forensic investigation, an impacted organization should conduct a breach risk assessment to determine applicable notification obligations.
    What does a HIPAA breach risk assessment involve after a cyberattack?
    A HIPAA-compliant risk assessment evaluates the type of PHI involved, whether it was accessed or viewed, who the attacker was, and how much the risk was mitigated. Forensic analysis is essential to support your findings.
    If the organization is not regulated under HIPAA or if a HIPAA breach risk assessment indicates that reporting is not required, are we in the clear?
    Not always. An incident may trigger a state data breach law even if HIPAA is not implicated due to the type of information involved or because the state requirement does not allow for a risk-based analysis. Additionally, vendor contracts often require notification of any security incident, even if it doesn’t meet HIPAA’s definition of a breach.
    What is a Business Associate Agreement (BAA), and why does it matter?
    BAAs are contracts between healthcare providers and vendors that handle PHI. They should clearly define who reports a breach, how quickly, what information must be shared, and who covers the costs.
    How can we prepare for a ransomware attack before it happens?
    Start with a robust privacy and security compliance program. Conduct regular security risk analyses, maintain a current incident response plan, and back up your data in multiple secure locations. Workforce training is also essential—your security is only as strong as your weakest link.
    What are the legal risks of delaying breach notification or mishandling our response?
    Delays or missteps can lead to regulatory penalties, reputational damage, and class-action lawsuits. Regulators expect a timely, thorough response.
    What’s one common cybersecurity mistake healthcare organizations overlook?
    One of the biggest missteps is failing to update privacy and security protocols to respond to changing risks, new processes, or technology updates. Ensuring health information confidentiality and security means implementing a “living” compliance program that adapts to your organization’s changing environment.

    Need help strengthening your healthcare cybersecurity program or responding to a data breach? Nixon Peabody Healthcare & Privacy attorneys work with healthcare organizations nationwide to build compliance strategies, manage breach response, and reduce legal risk.

    Practices

    HealthcareHealth Information - Privacy, Security & Data SharingHealthcare Regulatory & ComplianceCybersecurity & Privacy

    Industries

    Healthcare

    Key Contact

    For more information, please contact:

    Valerie Breslin Montague

    Partner

    • Office+1 312.977.4485
    • vbmontague@nixonpeabody.com

    Insights And Happenings

    • Article

      Healthcare Cybersecurity: Responding to Ransomware

      June 3, 2025
    • Article

      New administration continues pace of OCR’s HIPAA enforcement

      April 25, 2025
    • Article

      OCR announces first HIPAA settlement under the new administration

      April 21, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved