Rise in Class Action Lawsuits Subsequent to Healthcare Data Incidents

The law firm BakerHostetler has shared its 8th Annual Data Security Incident Response (DSIR) Report, which offers insights according to 1,270 data security incidents managed by the company in 2021. 23% of those occurrences involved data security incidents at healthcare companies, which was the most targeted sector.

Ransomware Attacks Went Up in 2021

Ransomware attacks have kept on occurring at increased levels. 37% of all data security occurrences dealt with by the firm in 2021 were ransomware attacks compared to 27% in 2020. Attacks on healthcare institutions increased substantially year over year. 35% of healthcare security breaches addressed by BakerHostetler in 2021 employed ransomware, which is higher by 20% in 2022.

Ransom demands and payments diminished in 2021. In healthcare, the average preliminary ransom demand was $8,329,520 and the average ransom paid was $875,784 which is around two-thirds of the amount compensated in 2020. Restoration of files was 6.1 days right after to payment of the ransom, and in 97% of cases, data was restored right after paying the ransom.

Data exfiltration is the norm at this time in ransomware attacks. According to BakerHostetler, 82% of the ransomware attacks in 2021 included the exfiltration of data by the attackers prior to encrypting files. In 73% of those occurrences, evidence of data theft was confirmed, and 81% needed notifying affected individuals. The average and the median number of notifications were 81,679 and 1,002, respectively.

The danger of the exposure of stolen information prompted a lot of companies to pay for the ransom. 33% of victims gave ransom payment even if they had partly restored files from backups and 24% paid despite the fact that they had fully recovered files from backups.

There was additionally more business email compromise (BEC) attacks. Although detection improved in time, the number of organizations that had to issue notification letters regarding the incident to people and regulators increased, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are Typical, Even for Smaller Data Incidents

Today, it is more typical for businesses to face class action lawsuits after security incidents. Though class-action lawsuits tended to only be filed for large data occurrences, it is now more and more prevalent for smaller data breaches to also lead to lawsuits. In 2021, 23 disclosed data incidents resulted in the filing of legal cases, 2020 only had 20. 11 of the lawsuits were associated with data incidents impacting the data of fewer than 700,000 persons, with 3 lawsuits filed with regards to incidents that impacted less than 8,000 persons.

BakerHostetler discovered a trend in 2021 for the filing of multiple class-action lawsuits subsequent to a data incident. More than 58 legal cases were filed linked to the 23 occurrences, and 43 of those lawsuits concerned data breaches at healthcare providers.

OCR is Asking for Information on “Recognized Security Practices”

2021 had high numbers of data breaches reported by healthcare companies. There were 714 incidents reported to the HHS’ Office for Civil Rights in 2021 as compared to 663 in 2020. More data breaches were referred to the Department of Justice and investigated probable criminal violations than in previous years.

In 2021, there was a modification to the HITECH Act to add a HIPAA Safe Harbor for companies that have followed identified security practices for a minimum of 12 months before a data breach happens. BakerHostetler stated that out of the 40 OCR investigations of businesses that it worked with, OCR often questioned the recognized security practices that were in place in the 12 months prior to the incident taking place. BakerHostetler firmly advises companies to assess their security guidelines and make sure they match the definition of “recognized security practices” given in the HITECH changes, and to take into account additional investments in cybersecurity to satisfy that definition if their security procedures do not meet what is required.