Legal consequences for victims of cyberattacks are piling up

Falling victim to a cyberattack is bad enough, but there’s a chance that it also leaves companies open to lawsuits should they be found to have failed to adequately protect private data or disrupted other businesses.

Several pharmacy groups and healthcare providers in the USA have filed a class action lawsuit against the payments service provider Change Healthcare and are demanding compensation after it fell victim to a successful cyberattack in March. Solarwinds is also facing legal challenges for its cybersecurity practices.

Change Healthcare and its parent company UnitedHealth Group (UHG) play a central role in the USA in processing payments to pharmacies and other service providers in the healthcare sector. The successful ransomware attack on February 21 of this year against the major service provider delayed important payments, caused severe instability and drove some doctors’ offices into bankruptcy. Prescriptions were not billed, authorization applications were not processed and authorization checks were not completed. The class action lawsuit accuses the service provider of poor security practices that made a successful attack easier.

The parent company UHG stated that the current cost of the ransomware attack was between 2.3 and 2.45 billion US dollars this year. UHG has already spent more than $2 billion to respond to the ransomware attack and fix the outages.

There are fears that the victim company will face further risks. As part of the attack, the hackers from the AlphV/Blackcat group are believed to have stolen six terabytes of patient data, including social security numbers and driver’s license numbers. One in three Americans may be affected, which would be around 110 million citizens. Andrew Witty, CEO of UnitedHealth, authorised a ransom of $22 million in Bitcoin to protect this patient information.

Legal consequences for victims of cyberattacks are becoming more and more common. The best-known example was the lawsuit filed by the US Securities and Exchange Commission (SEC) against the company Solarwinds; the attack, known as Sunburst, became public towards the end of 2020. The judge has now dismissed all but one of the charges. The court will further investigate whether Solarwinds committed securities fraud in its own “security statement” on various cybersecurity practices on its company website. This still includes the potential for personal fines for the CISO Timothy G. Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”.

Important lessons for Europe

The same pattern is evident in both cases; Security practices should follow best practice guidelines, because any possible misconduct could be addressed in court. This is exactly where two sets of rules, the Digital Operational Resilience Act (DORA), focused on the financial industry, and the NIS-2 Directive come in. They were developed to require companies in Europe to be more operationally cyber resilient. NIS2 introduces personal liability for managers if they violate the directive (see Article 20). Managers’ duties include attending cybersecurity training themselves and offering such training to all employees on a regular basis.

Managers are therefore actively involved in the implementation of cybersecurity measures, which in turn require basic security methods such as multi-factor authentication or network segmentation. If any of a business’s leadership team can be proven to have failed to comply with these points after an attack, they face fines. Fines under NIS2 can range from 100,000 euros to 20 million euros for legal entities. Fines for violations have increased significantly since the IT Security Act 2.0 came into force in 2021. It is also to be expected that the authorities will pursue violations with the same rigor as they do with the GDPR.

Benefit from preparatory work

In Europe, the introduction of the GDPR has already required companies to improve data management by requiring them to manage personal data more strictly and carefully than any other information. The obligation to provide information, the right to be forgotten and the obligation to report data loss have already required companies to have processes and workflows that can be used in a similar way under NIS2 and DORA in the event of an attack. The use of an AI-driven data security and management platform can help companies immensely to implement these processes in a scalable and efficient manner within the company.

“The NIS-2 and DORA regulations are important for Europe and the economy because they strengthen the cyber and operational resilience of companies and authorities. They also reflect the realities. AI and service models such as ransomware as a service have not only increased the amount of cybercrime, but also its quality. Our digital infrastructure must become more robust against successful attacks. To do this, companies must implement basic security practices and revise and optimize all processes and workflows that handle data. Cohesity can act as a central secure platform for Data management in the background can help massively to ensure the greatest possible operational cyber resilience.


About the Author

Mark Molyneux is EMEA CTO at Cohesity. A modern platform for the AI era Our mission at Cohesity is simple: to protect, secure, and provide insights into the world’s data. The largest organizations around the globe rely on us to strengthen their business resilience. With the Cohesity Data Cloud, we are able to deliver on that mission. Our customers can recover from cyber events faster, manage and secure their data at enterprise scale, and gain valuable insights with our industry-leading AI capabilities.

more insights