As ransomware attacks proliferate across industries, organizations are confronted with an urgent and complex prospect: whether to pay a cybercriminal's ransom demand. Data breaches impacting sensitive information occur on a daily basis. Among notable events, Change Healthcare recently confirmed that a ransomware attack from earlier this year affected the protected health information of nearly 100 million individuals, making it the largest known breach of a HIPAA-regulated entity. The attack was attributed to a Russia-based ransomware gang that demanded a $22 million ransom.
The legal and strategic considerations in the wake of a ransomware attack are significant and must account for potential liability ramifications. Because of the essential nature of their services, and the sensitivity of the information they hold, healthcare providers should weigh these considerations well before they are confronted with a ransomware event.
The Decision to Pay: Key Considerations
Reasons to Pay
- Minimizing Business Disruption
In cases involving encryption, paying a ransom demand may be the quickest option to regain access to critical systems and data, and return to normal operations. When patient safety and care continuity are at stake, the pressure to restore operations may outweigh other concerns.
- Avoiding Extended Downtime
The operational costs of prolonged downtime often exceed the ransom demand itself. This is especially true in sectors where uninterrupted service is essential. Outages can result in financial losses and reputational damage.
- Avoiding Data Exposure
Threat actors claim they will not publicly disclose stolen data if their demands are met (by no means an honorable community, threat actors normally follow through on this commitment to maintain credibility with future victims, but that is not guaranteed). Healthcare organizations may feel compelled to take this option to protect their patients.
- Safeguarding Intellectual Property
Not all data has the same value nor the same protection requirements. If the impacted data include trade secrets or other sensitive business information, a cost-benefit analysis may weigh in favor of paying the ransom to prevent disclosure of intellectual property. These decisions are especially important in industries with high-value research and development, such as pharmaceuticals and bio-technology.
Reasons Not to Pay
- No Reduction in Legal Liability
State and federal breach notification laws and regulations mandate that entities notify attorneys general, regulators, and affected individuals of a data breach, regardless of whether a ransom is paid. Once these notifications are made, many states and regulators publicly disclose the name of the breached entity on their websites. Class action plaintiff attorneys frequently monitor these sites, often leading to the filing of class action lawsuits against the breached entities. Since the obligation to notify arises as soon as data is accessed or acquired without authorization, paying a ransom does not reduce the risk of facing class action liability. Moreover, states and regulators do not take into account whether a breached entity paid a ransom when taking enforcement actions.
- Increased Future Targeting
Paying ransom can signal to other ransomware groups that an organization's system is vulnerable and its leaders' amenable to ransom payments.
- Legal and Regulatory Risks
Paying a ransom can expose an organization to legal risks. The Office of Foreign Assets Control (OFAC) prohibits U.S. companies from engaging in financial transactions with sanctioned entities. If ransom is paid to a sanctioned recipient, the organization may face civil and criminal penalties regardless of whether the organization knew the recipient was sanctioned.
- Insurance Coverage Not Guaranteed
Many cyber insurers experienced significant losses when ransomware spiked in 2020, leading to changes in insurance practices. Organizations should review their policies to determine coverage.
- Ethical and Public Perception Concerns
Enabling criminal enterprises through ransom payments presents ethical challenges and potential reputational harm. A decision to pay can magnify public awareness of an incident and impact perception of an organization.
Regulation and Litigation Considerations
Following an incident, organizations may face negligence claims and regulators may examine whether their data security requirements have been met. As noted above, data breaches normally must be reported even if data exposure is avoided through a ransom payment. Failure to do so may result in fines and penalties. Affected parties often pursue civil litigation, to include class actions, when sensitive personal, health or financial information has been exposed.
Increased Targeting of the Healthcare Sector
Ransomware attacks increasingly target the healthcare industry due to the criticality of their services and the sensitivity of the information they handle. Cyber threat actors know operational interruptions and exposure of sensitive information give them great leverage when making ransom demands. Healthcare providers should assess their cybersecurity infrastructure, review incident response strategies and insurance policies, and evaluate the legal implications of decisions before facing a ransomware incident.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.