Published: September 14, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
A long-time favorite target for ransomware attacks, healthcare providers are now finding themselves on the wrong end of liability lawsuits. In 2019, ransomware cost U.S. companies an estimated $1.4 billion, according to anti-malware company Emsisoft, and they claim that estimate is conservative. In particular, a recent lawsuit against a Florida-based healthcare provider sheds light on the growing responsibility of providers to protect patient PHI (protected health information), showing the cost of a ransomware attack isn’t limited to just the ransom payment. The scores of individuals whose PHI is likely for sale somewhere on the Dark Web are extremely vulnerable to identity theft, financial fraud, and many other crimes using stolen PHI.
Last year, ransomware attacks in the state of Florida included at least four cities, and both a police and a sheriff’s department. But recently, the responsibility for protecting patient PHI is increasingly falling on healthcare providers whose data security is less than it should be. However, the state of Florida is far from unique in this matter, with ransomware attacks on healthcare, city services, and law enforcement nationwide experiencing similar situations.
Now, a lawsuit against Tampa-based Florida Orthopaedic Institute claims they failed to properly protect the records of 100,000 to 150,000 current and former patients. The suit asks for $99 million in damages for those, according to the Florida Orthopaedic Institute, whose Social Security numbers, birth dates, addresses, insurance plan, and payer ID numbers, medical health details and much more are now in the hands of cybercriminals.
Traditionally, the result of a ransomware attack on the victims was considered unfortunate collateral damage. The time and expense to repair the individual loss landed squarely on the victims, who were left scrambling to repair their identity at the very least. With responsibility to secure data now on healthcare entities, they need to respond to the task at hand.
Experts agree that healthcare needs to step-up its cybersecurity efforts to avoid ransomware attacks and protect PHI. It starts with these entities needing to properly secure all of their own data systems, and their patients’ data, from harm. Defense systems like firewalls and antivirus solutions also need implementing, as all bases need to be covered.
Employee cyber-education can help stop a ransomware attack before it starts. Employees are often the first stop for ransomware since it usually begins with email phishing attacks that get through email filtering defenses. Staff who are regularly educated on the latest hacking trends, including email phishing lures, can be an entity’s best defense against cybercrimes.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com