Lawsuit Filed in Wake of Ransomware AttackRyuk Attack on DCH Health System Disrupted Patient Care Last Fall
A lawsuit against DCH Health System in the wake of a ransomware attack that disrupted medical services for several days alleges that the Alabama-based organization failed "to properly maintain and safeguard its computer systems and data."
See Also: How to Defend Your Attack Surface
The lawsuit, which seeks class action status, alleges DCH failed to maintain "an adequate data security system to reduce the risk of data breaches and cyberattacks." It also alleges that the organization did not adequately protect patients' private Information, properly monitor its own data security systems for existing intrusions and ensure the confidentiality and integrity of electronic protected health information.
"Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted," the lawsuit states. "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, [those individuals] had to forego medical care and treatment or had to seek alternative care and treatment."
For several days, DCH diverted ambulances and patients to other area facilities as it dealt with the ransomware attack it discovered on Oct. 1.
In a statement posted on its website Oct. 2, DCH noted that it experienced a cyberattack "by an unknown individual who used malicious software to encrypt files and restrict access to computer systems serving DCH Regional Medical Center, Northport Medical Center and Fayette Medical Center. Investigators have determined that the ransomware variant Ryuk was used to encrypt the files."
DCH then acknowledged on Oct. 5 that it paid an undisclosed ransom to obtain a decryption key from the attackers to restore access to locked systems.
The lawsuit, which seeks unspecified damages, alleges DCH is guilty of negligence, invasion of privacy, breach of express contract, breach of implied contract, and breach of fiduciary duty.
A DCH spokesman declined to comment specifically on the lawsuit or any of its allegations.
Although the Oct. 1 ransomware attacked limited the organization's ability to provide immediate care to all non-critical patients, the spokesperson says, the organization was "still able to provide critical medical care to those who needed it. During the event, we followed our emergency protocols, which included diverting all non-urgent patients to other facilities. This ensured we were able to fully care for all critical-need patients who arrived at the hospital and prompt care for those with non-urgent conditions. Medical records in the electronic medical record system were not impacted by the ransomware and remain secure. We are constantly improving processes for patient care and experience, as well as further hardening our security to ensure patient and employee information is appropriately protected."
Breach or No Breach?
DCH never offered free credit or ID monitoring to affected individuals, the lawsuit says.
As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing major health data did not contain any breach reports from DCH or any of its three hospitals affected by the ransomware attack.
While DCH posted several updates on its website during the ransomware attack recovery, it's unclear whether the organization mailed breach notifications to any patients' whose data was affected.
Determining whether a ransomware attack is a reportable breach under HIPAA requires a fact-specific determination, notes independent regulatory attorney Paul Hales.
"A ransomware attack that encrypts ePHI is presumed by HHS Office for Civil Rights to be a HIPAA breach unless the organization can demonstrate a low probability that the PHI was compromised," Hales says. "According to OCR, 'high risk of unavailability of the data' requires breach notification, 'particularly given that any delay may impact healthcare service and patient safety'."
Even if forensic experts can prove ePHI was not actually acquired or viewed by the criminals, the ransomware attack may be a reportable HIPAA breach," the attorney says.
"The DCH complaint aims directly at the Achilles heel of a health data ransomware attack by alleging the named plaintiffs suffered disruption of their medical care because their medical records were compromised."
In light of the surge in ransomware attacks, "organizations must have technologies in place to detect inappropriate system activity and look for the telltale signs of intrusion," notes privacy attorney David Holtzman of security consulting firm CynergisTek.
"According to US-CERT, organizations that have been hit by the Ryuk ransomware often had been compromised for a long period of time after being infected with malware that infiltrates the information system through a phishing email," he explains. "The malware enables the cybercriminals to explore and map the files and data backups in the information system that will be encrypted when the ransomware attack is launched."
Although many lawsuits filed after data breaches are dismissed by the courts because of lack of proof of any "injury" to plaintiffs, Holtzman says the DCH lawsuit could advance.
"I believe that some of the individual claims brought in this action will ultimately survive attempts by DCH to have them dismissed," Holtzman says. "At least two of the claimants allege they were receiving treatment at the time of the ransomware attack and that they suffered pain or delay in needed treatment as a direct result from the health system not having access to their electronic health record. In my view, the courts are more likely to allow these types of claims to move forward so that the consumer and the health system can develop additional evidence through the discovery process."
A High Bar
Consumers bringing claims in federal courts arising from data breaches have a relatively high bar to cross to demonstrate they have standing to bring a lawsuit, he adds.
"The Supreme Court has established a test to answer these questions by requiring the claimant to allege they have suffered damages or an injury, that it was caused by the defendant and that the damage or injury can be redressed through some action or award made by the court."
The number and severity of security incidents that have compromised patient information maintained by healthcare organizations or their service providers has reached "epidemic proportions," Holtzman adds.
"I believe we are going to see more litigation from consumers who claim they have suffered damage as a result of these ransomware or cybersecurity attacks."