[BreachExchange] Hacked Off: Patients Sue Ransom-Paying Hospital Group

[Destry Winant]

https://www.databreachtoday.com/hacked-off-patients-sue-ransom-paying-hospital-group-a-13736

A lawsuit seeking class action status has been filed against a New
Jersey healthcare organization in the wake of a ransomware attack last
December in which the entity paid attackers a ransom to unlock its
systems.

The lawsuit filed against Edison, N.J.-based Hackensack Meridian
Health, which has 17 hospitals and other care locations in the state,
seeks damages for the patients affected.

The ransomware attack on Dec. 2, 2019, brought down the organization's
computer network for two days, "leaving hospitals in the HMH network
to reschedule non-emergency surgeries and doctors and nurses
scrambling to deliver care without access to electronic records," the
lawsuit states.

Because of the ransomware attack, patients had their medical care and
treatment disrupted, the complaint alleges.

"As a consequence of the ransomware locking down the medical records
... plaintiffs and class members had to, among other things, forego
medical care and treatment or had to seek alternative care and
treatment," the lawsuit alleges.

"What's more, aside from having their lives disrupted, plaintiffs' and
class members' identities are now at risk because of [HMH's] negligent
conduct, since the private information that [HMH] collected and
maintained is now in the hands of data thieves. ... exposing [them] to
a heightened and imminent risk of fraud and identity theft."

HMH Reacts

In a statement provided to Information Security Media Group, HMH
states that after the ransomware attack, the network took immediate
action to protect its patients and to remediate the issue.

"We notified the appropriate authorities, including the FBI, other law
enforcement and regulatory authorities," according to the statement.
"Due to the extraordinary efforts of our physicians, nurses and
clinical teams, patient safety was assured during the attack. We also
engaged external cybersecurity and forensics experts, who found no
evidence that any patient information was subject to unauthorized use
or disclosure."

In a statement provided to ISMG last December following the ransomware
attack, HMH said: "Due to the frequency with which healthcare
organizations are targeted by cybercriminals, we have comprehensive
coverage in place to help cover costs associated with a cyberattack,
including payment, remediation and recovery efforts. We believe it's
our obligation to protect our communities' access to health care.
However, we cannot disclose the amount of the ransomware payment due
to confidentiality agreements."

The lawsuit alleges that HMH did not report the incident to HHS'
Office for Civil Rights as a health data breach as required under
HIPAA, did not notify individuals' whose records were impacted by the
attack, and did not offer any credit or ID monitoring to those whose
data was affected.

HHS OCR several years ago issued guidance advising organizations that
under most circumstances, ransomware attacks are considered reportable
breaches under HIPAA.

HMH did not immediately respond to an inquiry about whether it
reported the ransomware attack to the U.S. Department of Health and
Human Services as a health data breach.

As of Tuesday, the HHS HIPAA Breach Reporting Tool website listing
data breaches impacting 500 or more individuals did not show any
breach reports filed by HMH.

Independent HIPAA attorney Paul Hales, who is not involved in the
case, notes: "The ransomware attack may not be a reportable HIPAA
breach if HMH determines it resulted in a low probability of
compromise to the health information involved."

Identities at Risk

The lawsuit says plaintiffs believe their private information was
stolen and subsequently sold after the ransomware attack, putting them
at risk for identity theft and related crimes.

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg
P.C., who's not involved in the case, notes that plaintiffs alleging
that their data was "stolen" and subsequently "sold" as a result of
the attack potentially could demonstrate "that [the] ransomware has
pre-encryption lockout capabilities [that] would create a more
realistic likelihood that the threat actors intended for a double dip
extortion."

"Filing the class action lawsuit is the opening gambit of a long chess
game between lawyers. Class actions focused on health information
breaches are the new normal."
—Paul Hales, HIPAA attorney

For ransomware attacks using the new hybrid ransomware variants that
exfiltrate and then encrypt, "erring on the side of disclosure is
probably the best approach, but again, this is really ... dependent
upon a thorough cybersecurity investigation coupled with a robust risk
analysis," Teppler says.

Care Disrupted

The lawsuit also contends that as a consequence of the ransomware
attack on HMH, medical care and treatment "was disrupted and
compromised." For example, at least one plaintiff could not get his
prescriptions renewed as a consequence of the attack, the lawsuit
alleges.

"As a result of the defendant's failure to fulfill the data security
protections promised ... plaintiffs and members of the class did not
receive the full benefit of the bargain, and instead received
healthcare and other services that were of a diminished value to that
described in the contracts," the lawsuit states.

As a result, patients were "damaged" in an amount "at least equal to
the difference in the value of the healthcare with data security
protection they paid for and the healthcare they received," the suit
alleges.

Seeking Relief

The lawsuit asks the court to require HMH to refrain from "engaging in
the wrongful conduct pertaining to the misuse and/or disclosure of
plaintiffs' and class members' private Information, and from refusing
to issue prompt, complete and accurate disclosures" to individuals
about the incident.

The lawsuit also seeks to compel HMH "to utilize appropriate methods
and policies with respect to consumer data collection, storage, and
safety, and to disclose with specificity the type of PII and PHI
compromised during the ransomware attack."

So far, HMH has not disclosed the type of information impacted by the
attack, nor the number of individuals' records potentially affected.

The lawsuit also seeks "equitable relief requiring restitution and
disgorgement of the revenues wrongfully retained as a result of
[HDM's] wrongful conduct." It also requests that HMH be required to
pay for at least three years of credit monitoring services for the
patients who were affected.

In addition, the lawsuit seeks "an award of actual damages,
compensatory damages, statutory damages and statutory penalties, as
well as punitive damages."

Paying the Ransom

Hales, the HIPAA attorney, says that HMH "paid the ransom no doubt to
do the right thing - restore patient care quickly. However, it may
indicate serious problems for HMH's defense because it suggests HMH
lacked sufficient data backup and effective contingency plans for
recovery and emergency mode operation required by HIPAA."

Failure to comply with HIPAA, he says, "violates a professional
standard of care akin to alleged failure to meet professional
standards of care in medical malpractice cases. Filing the class
action lawsuit is the opening gambit of a long chess game between
lawyers. Class actions focused on health information breaches are the
new normal."