Organizations that have fallen prey to ransomware attacks have, of late, had to deal with more severe aftermaths than profit losses, tarnished reputations, stolen data and ransom payouts. In fact, during 2020, attackers received approximately $350 million in ransom – a 300% increase from 2019.
The latest blow to companies is the exposure to litigation, given that they did not do enough to prevent the attacks. Companies are now being sued by employees and consumers, who have been impacted by the breach of security. In fact, the most recent attacks on critical infrastructure have caused several lawsuits, where businesses as well as consumers related to the victim organization are suing for damages.
For instance, a class-action suit has been filed in Georgia Federal Court by consumers who have been forced to pay higher prices for gas due to the Colonial Pipeline ransomware attack. Given that Colonial Pipeline has had to pay a ransom of 75 bitcoin or $4.4 million within several hours after the attack, the company will also have to suffer litigation expenses.
Here are two recent cyberattacks on the healthcare industry prompting legal action:
DuPage Medical Group – In the July 2021 ransomware attack on DuPage Medical Group, hackers gained access to parts of a computer network containing the protected health information of 655,384 individuals. Stolen records included patient names, Social Security Numbers, addresses, dates of birth, diagnosis codes, medical procedure codes, and more. Recently, patients have sued DuPont Medical Group for negligence in implementing appropriate defenses to prevent ransomware, putting patients at risk of fraud and identity theft.
St Joseph’s / Candler Hospital – The attack on St Joseph’s / Candler Hospital, the largest healthcare system in Georgia, occurred around the same time as DuPont Medical Group – June 2021. Hackers got control of systems that contained protected health information of 14 million patients – including names, Social Security Numbers, driver’s license numbers, health insurance information, health information, and financial information. On further investigation, it was uncovered that hackers first gained access to the systems six months prior – in December 2020! The lawsuits raps St. Joseph’s/Candler for failing to design, adopt, implement, control, manage, monitor, and audit appropriate data security processes to protect sensitive data.
The risk of ransomware is here to stay as threat actors continue to exploit weak IT systems to gain access to personal data. In time, we will know the outcome of these lawsuits on cyber-negligent companies. Until then, it is imperative that your organization steers clear of this double whammy – being breached and then being slapped with a lawsuit. The easiest way to do so is to tighten your security controls and adopt a successful vulnerability management program. SureShield’s suite of products helps you adopt a proactive cybersecurity posture, so you don’t become a victim in the first place. Visit our website for more information or email us at [email protected]