The risks to organizations from a ransomware attack generally focus on familiar issues. Successful attacks can cripple an organization’s ability to function. They can lead to the loss of intellectual property and lower profits because of downtime. They can even affect business reputations. Recent developments in Ireland suggest that costly court battles might have to be added to this list.
A cancer patient receiving treatment at Mercy University Hospital in Cork has filed a lawsuit after his personal health information (PHI) was leaked in the wake of a ransomware attack against Ireland’s healthcare system earlier this year. The case further illustrates the dire financial impact, from paid ransoms, mitigation costs, regulator fines, and lost revenue, among others, that generally accompany a ransomware attack.
The Ransomware Attack
Ireland’s Health Service Executive (HSE), which administers healthcare and social services countrywide, took all its IT systems offline in May when cyberattackers targeted HSE networks with a variant of Conti ransomware. The attack affected as many as 2,000 computer systems and disrupted healthcare operations across Ireland in the following weeks.
Reports soon emerged about a ransom demand of as much as $20 million. HSE refused the payment of any ransom and began the long work of decrypting their IT networks. Despite taking systems offline and claiming that no patient data had been compromised, HSE later admitted that data from more than 500 patients had been published online by the cyber attackers.
Michael O’Dowd, a lawyer in Cork who represents the patient in the lawsuit against Mercy University Hospital, said he would seek to prove that the hospital violated the European Union’s General Data Protection Regulation (GDPR) implemented in 2018. A post on the dark web by the hackers included personal details about the patient, including his name, medical identification number, and personal health details.
The GDPR is a data security and privacy law that requires companies which gather and store personal information on individuals in the EU to follow strict legal guidelines. Organizations must be transparent about what data is collected. They must also follow strict data security protocols, including data encryption and the creation and maintenance of a comprehensive data security policy.
The Broader Risk
Ransomware attacks have steadily increased in frequency and sophistication in recent years, and healthcare providers have regularly been targeted. Just this week the Memorial Health System, a small network comprising three hospitals in Ohio and West Virginia, was attacked by the Hive ransomware gang. The attack may have exposed confidential personal and health data of nearly 200,000 patients.
Similar to GDPR in the EU, the United States requires healthcare providers to comply with regulations set down in the Health Insurance Portability and Accountability Act (HIPAA). Any failure to adequately protect patient health information can lead to crippling regulatory fines and tarnish an organization’s reputation. If the suit against Mercy University Hospital is any indication, the leak of sensitive patient data could also lead to even costlier legal judgments.
For more than a decade, SecureData has helped key industrial sectors, including healthcare, maintain strict data security and compliance with all regulatory legislation governing the handling of personal and sensitive data. The aim has been to provide organizations the right tools to keep their customers and their information safe from attack.
In line with government regulations and law enforcement recommendations, our data security solutions combine the use of offline FIPS-validated and hardware-encrypted backup storage, remote drive management, and hardened endpoint security to protect computer network access points.
Doctors often care for patients in more than one location. So patient data must remain protected wherever it might need to be accessed. That’s precisely why the physicians at Crystal Clinic Orthopaedic Center turned to SecureData for a data storage strategy that kept protected health information encrypted and secure while in transit between the center and affiliated hospitals.