Data Exfiltration Leads to Legal and Regulatory Liability


April 16, 2024

World map

The US Department of Health & Human (HHS) Services Office for Civil Rights (OCR) recently opened an investigating into medical payments giant Change Healthcare to enforce rules designed to safeguard the Protected Healthcare Information (PHI) of patients.

‍Change Healthcare was the victim of a recent ransomware attack. The OCR claims the investigation is required given the “unprecedented magnitude of this cyber-attack,” and seeks to understand if Change Healthcare was in regulatory compliance at the time of the attack.‍

“The OCR also reminded organizations that have partnered with Change Healthcare and UnitedHealth of their regulatory obligations and responsibilities, such as ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs,” Infosecurity Magazine reported.

Takeaway: The Change Healthcare attack highlights potential repercussions from ransomware attacks that go far beyond financial and operational impact, as legal and regulatory liability are growing concerns.

Data exfiltration and the threat of exposure are now a central aspect of nearly every ransomware operator’s playbook and significantly increase the chances for the extortion efforts to be successful.

In some cases, the attackers may not only demand payment of a ransom to regain access to encrypted systems, but they may also demand further payment for the stolen data itself.  

Of course, there is no guarantee that a ransom payment will protect the stolen data from being exploited, and the exposure of sensitive data can lead to regulatory fines, legal liabilities, and severe damage to the company's brand and customer trust.  

Protecting sensitive data through robust cybersecurity measures, including encryption, access controls, and employee training, is essential in safeguarding against data loss and intellectual property theft.

Organizations need to understand that today’s ransomware attacks involve a great deal more than just the delivery of malicious code and the issuing of a ransom demand.  

Data exfiltration is central to nearly every major ransomware operation, and the tactic has been so successful that some groups have abandoned the encryption aspect of attacks altogether to focus solely on stealing data and extorting the victim.

As an executive, it is crucial to understand the potential impact of disruptive cyber-attacks on your business and take proactive steps to mitigate them.  

Halcyon recently published a reference guide that explores what each C-level executive should know about ransomware to ensure a strong security posture and protect their organization: What Executives Should Know about Ransomware. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.