Massachusetts Hospital Hit with Class-Action Lawsuit After Paying Ransomware Attackers for Stolen Data

A Massachusetts hospital is facing a class-action lawsuit after a ransomware attack in February 2021 that impacted over 35,000 individuals and put personally identifiable information (PII) in jeopardy. The class-action lawsuit claims that the provider failed to safeguard its data against ransomware attacks.

In an official statement released from the Massachusetts hospital to its patients, the hospital stated that through their investigation it was determined that an unauthorized party gained access to some of their systems during the morning of February 9, 2021. Additionally, the hospital statement admits to paying a ransom in exchange for the safe return of patient data, and that their systems were secured later that same day. In exchange for the ransom payment, hospital officials were able to obtain assurances that the information acquired would not be further distributed and that it had been destroyed.

The stolen information included names, contact information, routing numbers, financial account numbers, Medicare claim numbers, medical history, and Social Security numbers. The hospital emphasized that its electronic health record was not involved in the breach.

The Massachusetts hospital is providing two free years of credit monitoring and encouraged individuals to review their financial statements regularly.

The class-action lawsuit claims that the attack resulted in damages exceeding $50,000. The primary plaintiff’s attorneys requested a trial by jury.

Lawsuits, data recovery, and additional cybersecurity investments are just some of the ramifications of a healthcare ransomware attack. A recent report from IBM and Ponemon Institute estimated that healthcare data breaches cost on average $9.23 million per incident.

The Cybersecurity & Infrastructure Security Agency (CISA) recently released a fact sheet that outlines steps an organization can take to protect PII and respond to a data breach. The fact sheet emphasizes that organizations should never pay a ransom to cybercriminals and urges entities with sensitive data to ensure that they have encrypted offline data backups and an incident response plan. Additionally, it is crucial for organizations to ensure that data is disposed of properly and to report data breaches to state and federal agencies. CISA’s fact sheet can be accessed at Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (cisa.gov).

Issue

The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to the confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer should be aware of the new tactics that are being used by malicious ransomware attacks and provide training to all staff with access to electronic medical records, email, or internet on best practices to prevent a ransomware attack. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.

Discussion:

  • Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks as updates become available.
  • Train all appropriate staff on best practices to prevent ransomware. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
  • Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.