Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Ransomware response readiness: your HIPAA notification clock starts at discovery, not disclosure

When ransomware silences your phones and encrypts your systems, your notification clock is already running — here's what preparation looks like before the incident begins.

Patient Protect ResearchMay 3, 2026First reported in HIPAA Pulse →

What this incident exposes

Cherry Health, a federally qualified health center in Michigan, has been experiencing organization-wide technology failures — including phone system outages across its locations — for multiple days. The health system has publicly acknowledged only generic "technology issues" while continuing clinic operations. Reporting by DataBreaches.net characterizes the disruption as consistent with a ransomware attack, a description Cherry Health has neither confirmed nor denied. As of the HP article's publication, no formal breach notification had been issued and no disclosure had been made regarding whether patient data was compromised.

The compliance gap here is not only technical — it is procedural and legal. Under HIPAA's Breach Notification Rule, the 60-day window for notifying affected individuals begins at the point of discovery, not at the point of public acknowledgment. If the discovery date aligns with when the outages began, that clock is running regardless of what the organization has said publicly. Independent practices watching this incident should ask one question: if this happened to us tomorrow, would we know exactly what to do in the first 48 hours? First reported in HIPAA Pulse → https://hipaapulse.com/cherry-health-silent-on-ransomware-as-technology-disruptions-stretch-into-multiple-days-e1d6d69f

The HIPAA Security Rule provision in play

This incident implicates multiple provisions simultaneously:

  • §164.308(a)(6) — Security Incident Procedures: Covered entities must implement policies to identify, respond to, and document security incidents, including processes for reporting and mitigating harm.
  • §164.308(a)(7) — Contingency Plan: Requires a data backup plan, disaster recovery plan, and emergency mode operation plan — with testing and revision procedures.
  • §164.312(b) — Audit Controls: Requires mechanisms to record and examine activity in systems containing ePHI, which supports both incident detection and post-incident analysis.
  • 45 CFR §164.400–414 — Breach Notification Rule: Requires notification to individuals within 60 days of discovery and notification to HHS without unreasonable delay.

The combination of apparent infrastructure-wide impact and absence of public characterization points specifically to gaps in incident response planning and notification readiness — not only in technical controls.

How Patient Protect addresses this

  • Security Risk Assessment (SRA): Identifies gaps in contingency planning, incident response procedures, and backup controls before an incident surfaces them. An SRA conducted under Patient Protect's framework produces documented evidence of good-faith risk analysis — a factor OCR weighs in enforcement actions.
  • Autonomous Compliance Engine: Continuously recalculates your compliance posture as configurations and circumstances change, rather than treating risk analysis as a once-a-year exercise.
  • Policy Generation: Produces written incident response and breach notification policies — including defined discovery-date protocols and notification timelines — so staff are not improvising under pressure.
  • Security Alerts: Provides real-time monitoring and alerting on anomalous activity, supporting earlier detection of the behavioral patterns that precede ransomware deployment.
  • Workforce Management + Office Training (80+ modules): Ensures staff recognize phishing and social engineering vectors — common ransomware entry points — and understand their role in incident reporting.

Practical next steps

  • Define your discovery date in writing. Your breach notification policy should explicitly state who has authority to declare a discovery date and how that determination is documented.
  • Test your backup and recovery procedures this week. Confirm backups are isolated from your primary network and that a restore has been successfully executed within the last 90 days.
  • Draft a 48-hour communication template now. Prepare a factually accurate holding statement for patients, staff, and regulators that does not overcommit on scope — and have legal counsel review it before you need it.
  • Run a Security Risk Assessment. Document your current control posture, gaps, and remediation plan. This record matters to OCR whether or not a breach ever occurs.
  • Assign a legal and compliance contact in your incident response plan. Disclosure decisions carry regulatory and liability consequences from hour one.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/cherry-health-silent-on-ransomware-as-technology-disruptions-stretch-into-multiple-days-e1d6d69f