We’ve written before about regulators’ and prosecutors’ increasing efforts to fight cybercrime in the COVID-19 era, and about how the most common form of cybercrime is Business Email Compromise (BEC) fraud. Last week, federal agencies reminded us about the particular vulnerability of healthcare providers to such cyber-attacks. The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued a joint alert last Wednesday in which they stated that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies warn that these new attacks, allegedly orchestrated by a Russian-speaking criminal gang, can cause “data theft and disruption of healthcare services.”
According to the agencies, these cybercriminals use ransomware that is seeded through a network of zombie computers. When the ransomware attack commences, the victim’s data is scrambled and rendered useless. The only way to unscramble the victim’s data is with a “key,” which can only be obtained from the cybercriminals in exchange for a substantial ransom payment.
Ransomware attacks have been particularly frequent over the last 18 months, with local governments and healthcare providers hit especially hard. According to one analyst, at least 59 U.S. healthcare providers/systems have already been affected by ransomware this year. Last month, a ransomware attack effectively shut down the computer system of a hospital, forcing doctors and nurses across 250 U.S. facilities to handwrite their records. The cybercriminals understand that this type of disruption puts patient lives in danger, which can increase the likelihood that the ransom will be paid.
The cost associated with the disruption caused by ransomware often outweighs the cost of a ransom payment, but giving in to a cybercriminal’s demand may pose its own risks. Paying a ransom may encourage additional attacks in the future and it may even lead to government scrutiny and the imposition of civil monetary penalties.
The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breach and cybersecurity matters, including regulatory obligations and litigation arising therefrom. If you need assistance with such a matter, please contact us today.