Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe, Northwest Indiana's largest group of Board-Certified Otolaryngologists, over the loss of sensitive data for 48,742 patients during a June ransomware attack.
“The lawsuit alleges multiple violations of the HIPAA Privacy Rule and HIPAA Security Rule, a failure to implement and maintain reasonable procedures as required by the Indiana Disclosure of Security Breach Act (DSBA), and CarePointe knowingly committed unfair, abusive, and/or deceptive acts, in violation of the Indiana Deceptive Consumer Sales Act (DCSA),” the HIPAA Journal reports.
“Security issues identified by the IT vendor included weak password policies (no password expiration, passwords of 8 or fewer characters were permitted, and there were no complexity requirements); no account lockouts after a set number of failed login attempts; inactive/decommissioned computers were not removed from Active Directory; a lack of procedures for terminating access when accounts were no longer used; outdated antivirus software; unrestricted access to network shares containing PHI; the use of generic logins for systems containing PHI; and the use of public domain email accounts for conducting CarePointe business.”
Takeaway: On average, a ransomware attack costs more than $4M. To fully remediate These costs do not include potential losses from lawsuits and other tangential costs like damage to the brand, lost revenue, lost production, as well as Intellectual property and regulated data loss – and the potential liability that come with it.
Most ransomware attacks today include data exfiltration prior to the encryption of systems. The stolen data is used as leverage to compel the victim to pay the ransom demand with the threat of releasing or otherwise exposing the data if payment is not made.
The data exfiltration tactic has been so successful that some threat actors even like BianLian and Karakurt skipping the encryption stage and moving to straight-up data extortion.
Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional risk from regulatory sanctions to class action lawsuits.
Attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.
Organizations who handle sensitive and regulated data need to assure they are doing their due diligence in implementing the correct security controls and conducting regular assessments and tabletop exercises.
Ransomware is a multi-billion-dollar industry that is growing at an astounding pace – if you think your organization is immune, you might be headed for an unpleasant surprise.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).