Having gathered virtually on October 13 and 14 to discuss the escalating global security threat from ransomware, we the Ministers and Representatives of Australia, Brazil, Bulgaria, Canada, Czech Republic, the Dominican Republic, Estonia, European Union, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, Republic of Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, United Arab Emirates, the United Kingdom, and the United States recognize that ransomware is an escalating global security threat with serious economic and security consequences.

Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine. The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.

The Department of Justice today launched a “civil cyber fraud initiative” that will punish government contractors and other firms that receive federal funding with severe fines if they fail to disclose data breaches. “For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and report it,” Deputy Attorney General Lisa Monaco said during the Aspen Institute Cyber Summit. “Well, that changes today.”