Data-breach settlements and cyber-security lawsuits
Early one morning in January 2018, hackers broke into the computer network of Allscripts, a Chicago-based company that provides medical records software to thousands of doctors and hospitals across the U.S. The hackers unleashed data-encrypting malware, blocking clients’ access to patient files, and demanded bitcoin in exchange for unlocking them.
As it turns out, Allscripts had been keeping backup files that were not touched by the ransomware attack. Rather than pay the ransom, Allscripts focused on restoring data from these backup copies. Ultimately, about 1,500 clients experienced problems accessing their records before Allscripts managed to get most issues fixed a week later.
Among the affected clients was Surfside Non-Surgical Orthopedics in Boynton Beach. The two-physician practice runs on Allscripts’ cloud-based electronic health records and e-prescribing platforms. During the weeklong outage, Surfside was unable to access its patient records or electronically prescribe medications, according to a lawsuit filed in federal court in Chicago. Surfside accuses Allscripts of not doing enough to prevent the attack or lessen its impact and has sued on behalf of all affected clients for “significant business interruption and disruption and lost revenues.”
The plaintiffs attorney, John Yanchunis, of Morgan & Morgan in Tampa, says it’s the first class-action suit involving a ransomware attack in the U.S. Although ransomware has been around for years, he says, most victims pay the ransom and keep it quiet. “It happens all the time. It’s just that the public doesn’t see it,” he says.
Since then, Yanchunis also has settled multi-million-dollar databreach cases against Home Depot and Target. Last fall, he secured a $50-million settlement from Yahoo for about 200 million people whose email addresses and other personal information were stolen in a 2013 data breach. Yahoo reportedly agreed to pay $35 million in lawyer fees.
The case against Allscripts remains in its early stages. Allscripts has moved to dismiss the case, arguing that Surfside wrongfully sued Allscripts’ parent company to avoid arbitration. (Allscripts says its contract with Surfside includes an agreement to resolve any disputes in arbitration vs. court.)
Allscripts also claims it could not have foreseen the attack because the ransomware responsible was a new variant. Surfside’s lawyers counter that the so-called SamSam ransomware strain had been a known threat since 2016 and that Allscripts’ delayed resolution of service outages points to negligence.
“We had clients who couldn’t see patients because they couldn’t access their records. It cost them money and goodwill,” says Yanchunis’ co-lead counsel, Steve Teppler, of Abbott Law Group in Jacksonville. “Who wants to go to a doctor who says ‘we can’t do anything because our computers are down’?”
Allscripts has not disclosed how much money the hackers demanded. The FBI urges companies never to give in to ransom demands, but many businesses lack the resources needed to get their data back on their own, experts say. Cyber-extortionists tend to target companies that can’t afford to be off line for long; they then set their ransom prices low enough — typically between several hundred dollars and several thousand dollars — to encourage payment.
“The perpetrators know the threshold for getting the FBI involved and stay below that threshold,” says Sri Sridharan, executive director of the Florida Center for Cybersecurity at the University of South Florida. “They realize they can make a ton of money by just asking for $300 to $500 in ransom and increasing the number of attacks.”
Sridharan recommends companies take steps to prevent ransomware attacks, including training employees to recognize and ignore phishing emails, backing up important files and storing them on different servers and installing firewalls and antivirus protections. However expensive, “there’s no bulletproof solution,” Sridharan says. “The cyber- attacks are constant. It doesn’t stop.”
Last November, the U.S. Justice Department charged two Iranian men in the SamSam ransomware campaign against Allscripts and a host of other victims, including hospitals and local governments. Authorities say the hackers relied on “brute-force” tactics, such as password-guessing algorithms, to gain entry via server vulnerabilities. Most attacks occurred outside normal business hours, when the ransomware was more likely to spread undetected. (The attack against Allscripts began at 2 a.m. and was discovered four hours later.)
In all, the Iranian hackers extorted more than $6 million from their victims, who also lost more than $30 million in disrupted operations and other costs, authorities say.
Two years ago, the U.S. District Court in Miami dismissed a lawsuit against Aventura Hospital on the grounds that the plaintiff — one of about 85,000 patients whose medical records were compromised in a 2014 data breach — did not appear to suffer any negative consequences. In other words, the plaintiff could not sue because — despite the potential for harm at the hands of identity thieves and fraudsters — her personal information had not actually been misused.
In the ruling, District Court Judge Jose Martinez pointed to a 2013 U.S. Supreme Court decision involving the question of standing. In that prior decision, the Supreme Court said a lawsuit can’t be brought simply because of the potential for harm — rather, plaintiffs must be able to show they suffered “actual or imminent” injury in order to have standing to sue. Since then, many companies, including Aventura Hospital, have used the issue of standing to fend off data-breach lawsuits.
More recently, however, some courts have ruled in favor of plaintiffs, encouraging consumer class-action lawyers. Companies that lose at the dismissal stage typically head to settlement.
Last year, the U.S. Court of Appeals for the 8th Circuit confirmed a lower court’s approval of a $10-million settlement between Target and customers affected by a 2013 data breach. Target decided to settle after the district court in Minneapolis ruled that the plaintiffs could sue because they had experienced such problems as “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills and late payment charges or new card fees.” Target also agreed to pay an additional $6.75 million in fees for plaintiffs lawyers.
A data breach typically costs a small business about $3 million, not counting loss of reputation and good will, according to the Ponemon Institute, a privacy and information management research firm. Businesses can buy cyber-crime insurance to mitigate their risks, but the policies are pricey and provide limited coverage, says Sri Sridharan, executive director of the Florida Center for Cybersecurity at USF. “In some insurance policies I’ve read, there are more exclusions than inclusions,” he says. “Everything is based on your infrastructure. If you have a lot of areas of weakness that can be exploited by the hackers, then the policy is going to be very expensive. That’s where management has to decide, ‘Do we spend $2 million on fixing a patch or $1 million on an insurance policy?’ ”
Read more in our February issue.
Select from the following options:
* offer valid for new subscribers only