On Thursday, I reported on a potential class action lawsuit that had been filed against two hospitals in Puerto Rico that suffered a ransomware attack. As I noted in my post, none of the named plaintiffs claimed that they had suffered any concrete injury or harm other than the cost and time involved in monitoring their credit reports and looking out for signs of fraud. Not to minimize those harms, but lawsuits alleging that entities who fall prey to ransomware attacks are somehow negligent for not having perfect security or because despite training, employees make mistakes and fall for phishing attacks, may only generate a lot litigation that will drive up the costs of healthcare and insurance for all of us without improving security of protected health information.
Sure enough, yesterday I saw two more potential class action lawsuits involving ransomware attacks.
The first one was filed against Hackensack Meridian Health in New Jersey and is in response to their December 2019 ransomware attack. At the time of the attack, the ransomware disrupted IT system and the healthcare system wound up rescheduling or delaying up to 100 elective procedures. After a few days of disruption, the entity decided to pay an undisclosed amount of ransom to restore access to their systems.
After reading through the complaint, I found that unlike the complaint discussed above, this complaint would likely include people who had had their care interrupted or delayed to some extent. Indeed, one named plaintiff experienced interruption or delay in his medical care — specifically, delay in getting a prescription renewed.
You can read the full complaint here. The complaint alleges, at one point, that class members private information “was seized and held hostage by computer hackers for ‘ransom’, and ultimately disclosed to other unknown thieves.” At another point, it similarly alleges:
There is a strong probability that entire batches of stolen information have been dumped on the black market and are yet to be dumped on the black market, meaning Plaintiffs and Class Members are at an increased risk of fraud and identity theft for many years into the future. Thus, Plaintiffs and Class Members must vigilantly monitor their financial and medical accounts for many years to come.
Strong probability that it was already dumped? Why is there a strong probability that it has been dumped if the ransom was paid? The ransomware business model pretty much requires attackers to keep their word about not dumping or misusing data, lest future victims will not believe their word and will refuse to pay the ransom.
The complaint also alleges that had HMH “properly monitored its
property, it would have discovered the intrusion sooner.” When do the plaintiffs think it was discovered? The intrusion was detected quickly, but on the advice of experts, the hospital system didn’t immediately disclose that it was a ransomware attack.
The complaint seems to be making allegations that the plaintiff’s law firm used in at least one other class action lawsuit that hey filed against Tidelands Health over that entity’s ransomware incident. But the claims seem misplaced or even absurd in HMH’s case.
But the HMH lawsuit wasn’t the only potential class action lawsuit I looked at yesterday. I also read about another lawsuit that had been filed against Campbell County Health in Wyoming over their ransomware attack on September 20 that affected more than 1,500 computers and disrupted a number of services. By Oct. 7, most, but not all, services were restored but the system did suffer more extensive disruption in services than in the other cases I described above. I haven’t found a copy of the complaint anywhere yet, but sent an inquiry yesterday to the county asking whether this incident was reported to HHS, and if they had any statement to make at this time. I received no reply, but this post may be updated if a reply is received.
But again: where is this all going? With threat actors like Maze Team exfiltrating and then dumping data from noncompliant victims, will we see more and more lawsuits stemming from ransomware incidents? Sadly, I think that will be the case.
Update Feb. 19: I am not the only one who is not a fan of this litigation. Read HIPAA attorney Jeff Drummond’s thoughts on his blog.
Update Feb. 21: Karen Clarke of Campbell County responded to my inquiry by stating:
An independent forensic analysis determined that there was no data breach at Campbell County Health. Therefore, no reporting to governmental authorities was necessary.
No data breach? Or no reportable breach under state law or HIPAA? The county’s answer raises more questions.