Skip to main content

Health-ISAC Hacking Healthcare 10-15-2024

This week, Health-ISAC®‘s Hacking Healthcare® examines a healthcare data breach that highlights how exfiltrated data like medical imagery can create serious complications for entities working through incident response and ransom demands. In addition, we raise awareness around the cybersecurity risks associated with the mergers and acquisition process in the healthcare sector.   

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

TLP WHITE Hacking Heathcare 10.15.2024
Size : 139.5 kB Format : PDF

Text Version:

Welcome back to Hacking Healthcare®.

Healthcare Data Breach Reiterates Complexity of Incident Response 

 A United States-based healthcare entity has made progress toward settling a lawsuit related to a data breach from last year that led to the exposure of a large quantity of sensitive patient images. The fallout from the incident highlights the incredibly difficult legal and regulatory position that healthcare entities continue to find themselves in. 

 

What happened?

In early 2023, a United States-based healthcare organization recognized unauthorized activity in its IT systems. An investigation revealed that a Russian-aligned malicious cyber actor had accessed a system containing sensitive patient information that included a large quantity of patient images. The malicious cyber actor was able to exfiltrate a sizeable amount of data, including the images, and then attempted to extort the healthcare organization. It appears that in an attempt to pressure the victim organization to pay, the malicious cyber actor began publicly leaking data that included these sensitive images.   

 

The victim organization determined it would not pay the ransom demand, and as part of its incident response, law enforcement was notified, cyber incident response firms were brought in, and the organization notified affected individuals.

 

In the wake of these actions, a class action lawsuit was brought against the healthcare organization by patients affected by the incident. The lawsuit claimed that there were insufficient security protections in place to protect such sensitive information, that the healthcare organization should have known it was a likely target, and that not paying the ransom and allowing the images to be leaked publicly was harmful to the patients. 

 

Lawsuit

The most recent update suggests that a settlement is likely between both parties. While the proposed terms have yet to be accepted by the court, it would appear likely, given the reported settlement amount. If reported figures are accurate, the settlement would cost many times more than the initial ransom demand. 

 

Action & Analysis 
**Included with Health-ISAC Membership**

 

While the above recommendations are mostly applicable to the larger entity making an acquisition or the one leading a merger, it is important to highlight the position of the target of an acquisition, or lesser partner in a merger. While legal and business considerations can create limitations or disincentives to be aggressively forthright regarding your organization’s cybersecurity, we would urge you to remember that the clarity you provide on these matters impacts patient health and safety. We would urge you to consider sharing relevant cybersecurity information to the greatest extent practical under these conditions.          

 

This site is registered on Toolset.com as a development site.