Anti-Malware , Risk Management , Technology

Ransomware is such a serious cybersecurity concern that the Federal Bureau of Investigation has issued new guidance and yet another alert about the threat.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

In recent weeks, attacks involving ransomware, in which cybercriminals demand ransom to unlock data they've encrypted, have plagued the healthcare sector. And federal agencies reported 321 ransomware-related incidents in the second half of last year, according to a new report (see Ransomware Attacks Against Government Agencies Widespread).

The FBI offered new guidance about mitigating the risks of ransomware in a podcast last week. It noted that ransomware is evolving, increasingly targeting businesses rather than consumers. And it warned against paying ransoms.

In addition to the guidance, the FBI also issued an alert about a new type of ransomware known as MSIL/Samas, which encrypts entire networks, rather than data linked to one computer, according to Reuters.

The Baltimore Sun reports that actions taken by hackers in a March 28 cyberattack against MedStar Health are "almost identical" to actions associated with the MSIL/Samas ransomware.

But MedStar Health, a 10-hospital system serving Maryland and the Washington, D.C. area, has not yet confirmed that ransomware was involved in the cyberattack, which forced the healthcare provider to shut down many of its systems to avoid further spread of a virus.

Although most ransomware is still spread via phishing, newer ransomware families are much more damaging than earlier versions, says Oliver Tavakoli, chief technology officer at security firm Vectra Networks. "All early versions of ransomware (CryptoLocker, CryptoWall, Locky) encrypted files, both local and on network share, and left computers operational," he says. "The newer versions, like Petya, encrypt the file system structures and render an entire machine unusable."

Lack of Ransomware Awareness

Gartner analyst Avivah Litan laments that too many businesses "are not spending large amounts of resources on security and are not equipped to even understand these [ransomware] threats. These entities are not focused on fighting ransomware, so criminals' attack methods can easily stay ahead of their victims' ability to defend themselves."

And too many organizations are paying ransoms to extortionists, says cybersecurity attorney Chris Pierson, who also serves as CISO at electronic payments and invoicing provider Viewpost. "Whether due to speed, mission criticality or the lack of good backups and data proliferation, more companies are being forced to pay these days," he says.

For example, in February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to unlock data encrypted by cyberattackers. Allen Stefanek, the hospital's president and CEO, noted that his organization decided to pay the ransom because obtaining the decryption key from the attackers was "the quickest and most efficient way to restore our systems and administrative functions."

A High-Profit Crime

The FBI, which has issued several alerts about ransomware, is concerned because so many businesses are paying ransoms to the hackers, says John Miller, director of the ThreatScape Cyber Crime division, a security consultancy run by iSIGHT Partners, a FireEye company. And the more companies are willing to pay, the more attractive ransomware attacks look to criminals, he adds.

"Ransomware does continue to draw in high profits for operators, and in many cases the damages it causes are highly publicized; both trends lead to growth in ransomware's user-base," Miller says. "Another trend which has exacerbated the ransomware issue is that the marketplace distribution models for various types of ransomware have become increasingly optimized."

The percentage of organizations that pay the ransom demanded by extortionists wielding ransomware has not likely changed over the last several months, despite the FBI's efforts to improve public awareness, says Vectra Networks' Tavakoli. "Given the sheer increase in volume of ransomware, it is pretty clear that more ransoms are being paid overall," he says. "And more ransom fuels more ransomware - both in funding the operations of existing purveyors of ransomware, as well as attracting more bad guys into the space."

Tom Kellermann, CEO of security firm Strategic Cyber Ventures, claims that between 60 and 70 percent of businesses targeted by a ransomware attack are paying their attackers to have files and systems unencrypted. "They are paying ransom in order to maintain business continuity," he says. "This is a terrible trend."

Who's Most Vulnerable?

Companies that don't have effective disaster recovery protocols in place, or those that have lax backup policies, are the most vulnerable to ransomware, says Nick Hyatt, senior consultant of enterprise incident management for the security firm Optiv.

"It is imperative that corporate IT departments take the threat of ransomware seriously, especially in the healthcare and financial sectors, and make serious movement toward protecting their users, networks and sensitive information," Hyatt says.

Real-time network monitoring solutions are helping some businesses better prevent ransomware infections, Hyatt says. "But, for the most part, the ransomware developers are one step ahead of the security industry," he adds.

And Kellermann says some endpoint security solutions can prove helpful in preventing malware infections. "But backing up drives daily and better URL filtering is tantamount to success in preventing an infection," he says.

Data Breach , Litigation

At least seven class-action lawsuits have been filed against 21st Century Oncology, which recently reported a hacker attack that compromised the data of 2.2 million individuals.

See Also: An Introduction to Second-Generation User Behavior Analytics

The suits allege, among other things, that the company, which operates 181 cancer treatment centers, took inadequate security steps to protect data. But those filing the suits may have an uphill climb, some legal experts say, based on the outcomes of other cases making similar claims.

The company violated the Federal Trade Commission's Fair Credit Reporting Act and also the Florida Deceptive and Unfair Trade Practices Act, the suits allege. Other claims include breach of contract, unjust enrichment, negligence and invasion of privacy.

The lawsuits, which seek unspecified monetary, punitive and actual damages and/or restitution, will likely end up being consolidated, as is often the case when many suits are filed against an organization that's had a data breach.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says winning a case based on allegations of FCRA violations will prove challenging.

"This is not the first time that a plaintiff has alleged that a health information breach violated the FCRA," he says. "Last September, a U.S. Court of Appeals in Illinois dismissed a claim that Advocate Health violated the FCRA based on its data breach, finding that Advocate Health was not subject to the FCRA because it was not a 'consumer [credit] reporting agency.' While that decision is not binding on the court in this lawsuit, there is a good chance that the suit's FCRA claim will similarly fail."

One of the suits against 21st Century Oncology notes that "FCRA requires any business that shares data for consumer credit reporting purposes to maintain reasonable procedures designed to limit the furnishing of data to the purposes listed in the statute." Under FCRA, a person who receives medical information "shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute," the lawsuit notes.

That lawsuit claims that, according to the company's notice of privacy practices, "21st Century Oncology collects and shares personally identifiable information and protected health information for purposes of collecting payment from insurers or third-party payers, subjecting it to the FCRA's requirements to safeguard PII and PHI and limit unauthorized disclosures."

Breach Details

21st Century Oncology first disclosed the breach affecting more than 2 million individuals in a March 4 filing with the Securities and Exchange Commission. The incident is also now listed on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website of health data breaches affecting 500 or more individuals.

In a separate March 4 statement, 21st Century Oncology said that on Nov. 13, 2015, the FBI notified the company "that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database." The company says it immediately hired a forensics firm to support its investigation, assess systems and bolster security. "The forensics firm determined that, on Oct. 3, 2015, the intruder may have accessed the database, which contained information that may have included patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, and insurance information. We have no evidence that any medical records were accessed."

Company Responds

In a statement to Information Security Media Group, 21st Century Oncology says, "as a company policy, we do not comment on pending litigation."

But the statement notes: "In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future."

The company addressed the litigation in an 8-K filing with the SEC on March 25.

"In connection with the data breach previously disclosed ... the company received notice that class action complaints have been filed against the company. The complaints allege, among other things, that the company failed to take the necessary security precautions to protect patient information and prevent the data breach. Due to the inherent uncertainties of litigation, we cannot predict the ultimate resolution of these matters or estimate the amounts of, or ranges of, potential loss, if any, with respect to these proceedings."

The company's SEC filing adds that it has insurance coverage and contingency plans for certain potential liabilities relating to the data breach. It also notes, "Nevertheless, the coverage may be insufficient to satisfy all claims and liabilities ... and the company will be responsible for deductibles and any other expenses that may be incurred in excess of insurance coverage."

'All Over the Map'

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the litigation against 21st Century Oncology "is a perfect example of the kind of all-over-the-map class action complaints that we are seeing where there is some kind of security breach. These are creative, free-wheeling and highly imaginative claims designed to overcome two substantial hurdles in these cases - a relevant cause of action that is meaningful when applied to a class, coupled with actual damages."

Regarding allegations of breach of contract and unjust enrichment, one of the complaints notes, "Plaintiffs paid money to 21st Century Oncology and/or their insurers for medical services. Accordingly, plaintiffs and class members paid 21st Century Oncology to securely maintain and store their PII and PHI. 21st Century Oncology violated its contracts ... by failing to employ reasonable and adequate security measures to secure Plaintiffs' and Class members' PII and PHI."

That lawsuit adds: "21st Century Oncology has retained the benefits of its unlawful conduct including the amounts received for data and cybersecurity practices that it did not provide. ... Plaintiffs and the class members are entitled to full refunds, restitution and/or damages from 21st Century Oncology."

A similar argument related to unjust enrichment was made in a class-action lawsuit against health plan AvMed, which was settled in 2013 with some class members essentially getting refunds for portions of their paid premiums that they argued should've been spent by AvMed on data security.

"While most data breach class actions get dismissed due to a lack of harm or damages, this unjust enrichment theory is one of the few to have had any success, leading to a substantial settlement in the AvMed suit," Greene notes.

A key difference, Greene says, is that the AvMed case involved regular premium payments by members to their health plan, while the 21st Century Oncology case involves payments by patients for specific services rendered by the healthcare provider.

"While the court in the AvMed case was willing to entertain the idea that some portion of premium payments properly go toward information security, another court might be less inclined to find that payments for specific healthcare services should be treated similarly," Greene says.

Similarly, Nahra is doubtful the unjust enrichment argument will succeed in the 21st Century Oncology litigation. "This allegation that 'some unknown percentage of my payment to you was for data security and I deserve it back' is creative, but has not been successful and is not actually a subject of any kind of negotiation in any meaningful commercial sense."

While the lawsuits against 21st Century Oncology so far do not appear to allege that the plaintiffs have been victims of identity theft resulting from the breach, the various complaints contend that the hacker incident puts affected individuals at risk for ID theft and fraud, and other crimes, such as tax fraud.

Looking Ahead

The courts have dismissed most breach-related class-action lawsuits based on a lack of proof of harm, although plaintiffs have prevailed in a handful of cases, including AvMed, Greene notes. But lawyers continue to file lawsuits in hopes of turning the tide.

"A case in the Supreme Court, Spokeo, is closely being watched on this issue, as the Supreme Court potentially could break the dam wide open."

In that case, Spokeo vs. Robins, the high court is expected to decide, possibly this year, if websites, search engines and others that amass personal information from public sources could be sued under federal law for publishing inaccurate information, even if the errors do not cause the plaintiff actual harm.

×Close

Request to Republish Content

×Close

Request to Republish Content