The Decline of Ransomware in Healthcare Breach Notifications
Mentions of ransomware in healthcare breach notifications have been in decline for some years despite evidence demonstrating that the number of ransomware attacks on healthcare organizations is increasing. However, the apparent contradiction is not due to healthcare organizations better protecting patient data. It is more likely due to healthcare organizations better protecting their liabilities.
The recent Change Healthcare cyberattack shows that the impact of ransomware in healthcare is increasing like never before. UnitedHealth Group has confirmed that Protected Health Information (PHI) was acquired in the attack. Because of this, breach notifications must be sent to the affected individuals, State Attorneys General, and HHS’ Office for Civil Rights. What is not known is whether the word “ransomware” will appear in the breach notifications.
The reason for the uncertainty is that, between 2022 and 2023, the number of successful ransomware attacks against healthcare organizations increased by 128% according to the Office of the Director of National Intelligence. At the same time, mentions of ransomware in healthcare breach notifications to HHS’ Office for Civil Rights fell by almost 60% according to the web descriptions of HIPAA data breaches in the Archive section of HHS’ Breach portal.
Timeline of Ransomware in Healthcare Breach Notifications
Exploring the timeline of ransomware in healthcare breach notifications and the consequences of notified ransomware attacks can help explain the apparent contradiction. Up to 2015, only two ransomware attacks affecting more than 500 individuals were reported to HHS’ Office for Civil Rights. In both cases, it was reasonable to assume that hackers had accessed electronic databases containing PHI and exfiltrated data prior to encrypting the databases.
In early 2016, the number of ransomware attacks on healthcare organizations increased substantially. Some took hospital systems out of service for more than a week. However, most attacks were not reported to HHS’ Office for Civil Rights – entities claiming that either it had been possible to access electronic PHI or there was no evidence to suggest data had been stolen. The failure to notify the HHS and individuals about these security incidents raised concerns among privacy experts.
The HHS’ Office for Civil Rights responded to the concerns by publishing a Ransomware Factsheet. The Factsheet states that because “unauthorized individuals have taken possession or control of information”, ransomware attacks are notifiable security incidents unless the attacked entity can demonstrate a low probability that PHI has been compromised. The steps to demonstrate a low probability of compromise can be found in 45 CFR §164.402.
Notifications Increase Following Publication of Ransomware Factsheet
Mentions of ransomware in healthcare breach notifications increased following the publication of the factsheet in July 2016 – but not by as much as many might have expected. A report published in November 2016 claimed that 48% of survey respondents had experienced at least one ransomware attack in the previous twelve months, yet there were only twenty-six mentions of ransomware in healthcare breach reports affecting more than 500 individuals in 2016.
Mentions of ransomware in health breach reports increased to fifty mentions in 2017 but declined to thirty-one mentions in 2018 – despite a report by Kaspersky Lab suggesting that 27% of North American healthcare organizations had experienced at least one ransomware attack during the year. While it might be the case there was “a low probability PHI was compromised” in these attacks, underreporting is the most likely explanation for the decline in notifications.
The increase in breach notifications mentioning ransomware from 2019 reflects a major increase in ransomware attacks due to a trio of factors – the increased availability of ransomware-as-a-service (RaaS), the development of multi-extortion models, and the COVID-19 pandemic.
The Impact of Ransomware-as-a-Service
The increased availability of RaaS lowered the entry threshold for cybercriminals. Previously, many cybercriminals lacked the skills to develop ransomware. However, the option to rent ready-made malware and infrastructure – or deploy it on behalf of a developer on a profit-sharing basis – led to more cybercriminals getting involved in the activity and an increase in the overall number of ransomware attacks.
The Threat of Multi-Extortion Ransomware Attacks
The multi-extortion model involves data theft before file encryption. A DDoS attack might also be launched against victims to accelerate payment of the ransom. Because cybercriminals first download copies of PHI to publish on a “leak site” if the ransom is not paid, healthcare organizations can no longer avoid notifying affected individuals and the HHS’ Office for Civil Rights by claiming “a low probability PHI was compromised”.
Automated Attacks on Remote Worker Connections
When the COVID-19 pandemic started, many healthcare organizations were unprepared for the urgent transition from on-site to remote working and the increased attack surface. Cybercriminals took advantage of the lack of preparedness by launching automated attacks on Remote Desktop Protocol (RDP) to brute force weak passwords and deploy ransomware. On April 7, 2020, Kaspersky Lab recorded 1.4 million automated RDP attacks in the U.S.
Why the Recent Decline in Reported Ransomware Attacks?
There are several explanations for the recent decline in reported ransomware attacks. It could be the case that cybercriminals have acquired a conscience, that healthcare organizations have become more effective at defending against ransomware attacks, or just better at protecting PHI so that ransomware attacks they are unable to defend against are not notifiable events. The bare figures indicate none of these theories are true.
Compared to the “peak ransomware notification years” of 2020 and 2021, new records were set in 2022 and 2023 for the number of healthcare breaches affecting more than 500 individuals reported to HHS’ Office for Civil Rights and for the number of individuals affected by the breaches. During the first three months of 2024, more breaches were reported to HHS’ Office for Civil Rights than in any previous quarter – yet few mention ransomware as a factor.
The most likely reason for the recent decline in reported ransomware attacks is the fear of civil lawsuits. Many cyberattacks that were reported to the HHS’ Office for Civil Rights as ransomware attacks prompted multiple class action lawsuits, several of which have been successful for the plaintiffs and have resulted in settlements.
- Planned Parenthood Settles Class Action Lawsuit for $6 million.
- Lamoille Health Partners Settles Class Action for $540,000.
- Personal Touch Settles Ransomware Class Action Lawsuit.
- Empress Ambulance Services Settles Lawsuit for $1.05 Million.
- U.S. Fertility Proposes $5.75 Million Ransomware Settlement.
- $6 Million Settlement Proposed to Resolve UKG/Kronos Lawsuit.
Rather than getting better at protecting PHI, the recent decline in reported ransomware attacks is more likely attributable to healthcare organizations omitting the word ransomware in healthcare breach reports to avoid civil lawsuits. Most ransomware groups steal data and publish it on the dark web if the ransom is not paid, and even if the ransom is paid, the data is often not deleted. If ransomware is mentioned in breach notifications, alleging that victims have been harmed is much easier. Effectively, healthcare organizations are getting better at protecting their liabilities.
Are Healthcare Organizations Liable for Ransomware Attacks?
Healthcare organizations can be liable for ransomware attacks if it is demonstrated that they have failed to implement reasonable and appropriate safeguards to protect against ransomware attacks. For example, if an organization conducts a risk assessment and identifies the risk of a ransomware attack due to phishing susceptibility, the organization must implement safeguards to reduce phishing susceptibility or the consequences of a successful phish.
As healthcare organizations are required by HIPAA to conduct accurate and thorough risk assessments (45 CFR §164.308) and to review the assessments periodically and update as necessary (45 CFR §164.316), there is no excuse for failing to identify the risk of a ransomware attack nor for failing to implement safeguards such as workforce training, advanced email filters, and/or multi-factor authentication – all of which are reasonable and appropriate.
How exactly healthcare organizations can be liable for ransomware attacks varies by jurisdiction. HIPAA does not have a right of action for individuals affected by data breaches and class action lawsuits are filed under state laws. However, the failure to comply with HIPAA can be used to prove liability in certain cases. In these cases, the failure to protect PHI under state law can cost a healthcare organization more than the failure to comply with HIPAA.
Is It Worth Omitting Ransomware in Healthcare Breach Notifications?
Whereas omitting ransomware in healthcare breach notifications might have helped some organizations avoid class action lawsuits, the subterfuge has run its course. Multiple class action lawsuits are likely to be filed following any sizeable healthcare data breach, and since ransomware groups name and shame the victims on their data leak sites, if ransomware was used, it is likely to be reported as such in the media. It is unlikely to make any difference to the number of lawsuits whether or not ransomware is mentioned in data breach notifications. Multiple class action lawsuits were filed against Change Healthcare before UnitedHealth Group confirmed that ransomware was used in the attack.
The purpose of breach notifications is to alert individuals that their protected healthcare has been exposed or stolen to allow them to take steps to mitigate the risk of identity theft, fraud, and other harm. The lack of information in healthcare breach notifications is a growing cause of concern, as individuals are not being provided with enough information to make an accurate assessment of the level of risk of harmful effects of data compromises. The Federal Trade Commission has listened to the concerns and recently released a Final Rule requiring more clarity in breach notifications. It is expected HHS’ Office for Civil Rights will follow suit with respect to the HIPAA breach notification requirements.
