After dealing with the financial effects of COVID-19, hospitals are facing a new threat: lawsuits following cyberattacks.
Since January, four lawsuits have been filed against both Howard Memorial Hospital of Nashville and against the Mena Hospital Commission, which operates as the Mena Regional Health System. The lawsuits allege the hospitals were negligent in failing to prevent hackers from stealing tens of thousands of patient records and their financial information.
Howard Memorial reported 53,668 people were affected by its breach, and the MRHS said 84,814 people were affected in its incident, according to the U.S. Department of Health & Human Services Office for Civil Rights.
And more hospitals are expected to become targets of cyberattacks.
“We are definitely seeing this ransomware epidemic continue to plague hospitals and health systems,” said Jamie Singer, managing director of FTI Consulting Inc. of Washington, D.C. Singer co-leads FTI’s Cybersecurity & Data Privacy Communications group.
More than two-thirds of U.S. health care and life sciences companies reported a cyberattack or incident during the last 12 months, with malware/ransomware and phishing as the most common incident types, according to FTI’s U.S. Healthcare & Life Sciences Industry Outlook 2023. And 42% of those who responded said that they consider their company to be vulnerable to incidents in the coming year.
The attacks and lawsuits come as hospitals are recovering from 2022, the worst financial year since the start of the pandemic, according to Kaufman Hall of Chicago, which advises health care and higher education organizations and collects data from more than 900 American hospitals.
About half of U.S. hospitals finished the year with a negative margin as growth in expenses outpaced revenue increases, according to a January news release.
Health care cyber breaches can be another big expense. The cost of the average health care breach increased to $10.1 million, a record, according to the IBM Security Cost of a Data Breach 2022 report.
Hackers target health care information because of its value, Singer said. “This is a transactional business for the threat actors,” Singer said. “And so what they do is they go after targets that they think they can extort. And because of the pain, the legal pain, financial pain, the reputational pain, … they’re going to keep going after hospitals.”
A ransomware attack can wreak havoc on the hospitals and their patients.
“Because if you can’t access electronic medical records for weeks, that can literally mean the difference between life and death,” Singer said. “So the threat actors … target them accordingly.”
The lawsuits against Mena Regional Health System and Howard Memorial contain similar allegations, saying the hospitals’ servers were breached by hackers who were able to get troves of personal information including names, dates of birth, Social Security numbers, financial account information and medical records.
Mena Regional Health System’s alleged hack happened on Oct. 30, 2021, but MRHS allegedly didn’t discover that it had a data breach until Nov. 8, 2022. Hackers stole the personal and medical information of about 85,000 people, according to one of the lawsuits. The plaintiffs’ attorney in that lawsuit is Thiago Coelho of the Wilshire Law Firm of Los Angeles.
Howard Memorial’s alleged hack occurred between Nov. 14, 2022, and Dec. 4, 2022, according to a lawsuit also filed by Coelho. The eight lawsuits are pending in U.S. District Courts in Arkansas.
Coelho told Arkansas Business that in some cases once the hackers have the information, they will impersonate the patient to obtain additional medication or sell the information on the dark web, the section of the internet that is untraceable and allows users to search anonymously by using particular software.
The lawsuits were filed shortly after the incidents were reported to the Health & Human Services Department, which requires that breaches of unsecured protected health information affecting 500 or more people be reported. The public information also is used by plaintiffs’ attorneys to file lawsuits against companies that have been attacked.
“A lot of times now we’re seeing these lawsuits filed, which means the hospital is unfortunately in the position of having to begin to defend itself before it even knows that it did anything wrong,” said security expert Mac McMillion. McMillion is retired now, but he is the former CEO and co-founder of CynergisTek Inc. of Austin, Texas, an information security services firm specializing in consulting and managed privacy.
Howard Memorial declined to comment, and Mena Regional Health System and its attorneys didn’t return messages requesting comment.
In a court filing, Mena asked for a dismissal. “Plaintiffs do not allege how the Cyberattack occurred, and do not identify any specific defect in MRHS’s security, procedures, or training that may have contributed to the Cyberattack,” Timothy Lowe of Bloomfield Hills, Michigan, wrote in the filing. Attorney Patrick McDaniel of Mena also represents the health system. “In other words, Plaintiffs presume MRHS’s security practices were inadequate simply because the Cyberattack occurred and fail to provide any insight as to how or why these practices were inadequate or what MRHS could have done differently to prevent the data breach.”
These kinds of lawsuits filed against hospitals don’t have a good track record of success, said David Holtzman, principal at HITprivacy LLC of Germantown, Maryland, which offers data protection and information privacy services to companies and health care organizations.
“Somebody has to demonstrate an injury or very strong probability of future injury in order to get past the initial motion to dismiss, which gets you into discovery, which is the point at which many of these cases are being settled,” Holtzman said.
What to Do
Coelho, the plaintiff’s attorney, said that hospitals need to be “doing a lot more when it comes to security. A lot of these hacks can be prevented if they use reasonable security standards, especially given how often these medical-related facilities are being targeted by hackers and the sensitive information that they have,” he said.
“When you’re going to a hospital … the patients expect that that information is going to be kept extremely safe,” Coelho said.
Singer said most cyberattacks are waged through phishing scams, in which an email appears to be from a legitimate source but isn’t. In those phishing attacks, it “literally takes one person clicking on the wrong link,” Singer said.
Establishing multifactor authentication and having complex passwords can help prevent cyberattacks.
Singer also suggested training employees about cybersecurity and handling sensitive data.
But even if a hospital has all the security measures in place, a hacker still might be able to get through. “There’s no silver bullet in terms of prevention,” Singer said.