HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state.

The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock.

Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more.

The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable costs of verifying whether a system has been altered, acquired, damaged, deleted, disrupted, or destroyed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The penalty for a ransomware attack that results in more than $1,000 in losses would increase to a maximum fine of $100,000 and up to 10 years imprisonment. If the attack results in aggregate losses of less than $1,000, the crime would be a misdemeanor and could result in a fine of up to $25,000 and up to 5 years imprisonment.

Even being in possession of ransomware (for non-research purposes) could result in a hefty fine and prison term, even if no attacks have been conducted. Possession with intent could result in a fine of up to $10,000 and up to 10 years imprisonment.

It would also be possible for a person who has suffered a specific and direct injury as a result of a ransomware attack to bring a civil action against the attacker and for damages to be awarded and the cost of legal action to be recovered.

Ransomware poses a threat to all businesses, but healthcare organizations are especially vulnerable. Ransomware attacks on hospitals not only causes financial losses but could also potentially cause harm to patients. Loss of access to healthcare systems and encryption of patient data can disrupt medical services which could lead to fatalities.

Research conducted at Vanderbilt university in 2017 suggests ransomware attacks on hospitals could potentially result in 2,000 deaths a year. The financial losses can also be considerable. The ransomware attack on Maryland-based Medstar Health in 2016 is believed to have caused more than $30 million in losses.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.