Cybersecurity News

Memorial Health Faces Lawsuit After Hive Ransomware Cyberattack

Hive ransomware group claimed responsibility for an August 2021 cyberattack against Memorial Health System, and victims are now demanding answers.

Memorial Health Faces Lawsuit After Hive Ransomware Cyberattack

Source: Getty Images

By Jill McKeon

- Ohio-based Memorial Health System (MHS) is now facing a lawsuit regarding an August 2021 cyberattack that was claimed by Hive ransomware group. The cyberattack impacted over 215,000 individuals and resulted in significant cancellations and ambulance diversions.

In January, MHS released a statement confirming that data may have been stolen in the attack. Threat actors may have viewed or acquired names, birth dates, patient account numbers, Social Security numbers, treatment information, and medical record numbers.

Despite reporting that patient data may have been stolen, MHS said it had "no reason to believe that any identity theft or unauthorized use of the affected information occurred."

Former patient Kathleen Tucker filed the suit on January 19 on behalf of fellow victims. The filing alleged that the data breach victims “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

In Tucker’s case, the filing argued that the plaintiff “suffered actual injury from having her PII and PHI compromised,” including damage to the value of her personal information, and violation of her privacy rights. The suit stated that Tucker spent 10 hours canceling credit cards, changing passwords, and signing up for identity monitoring services.  

The lawsuit also explained that Tucker was notified of fraudulent charges, received unsolicited phishing emails, and suffered emotional distress.

MHS was accused of failing to implement adequate security measures, failing to monitor the security of their networks, allowing unauthorized access to private information, failing to detect the breach in a timely manner, and failing to notify class members of the breach in a timely manner.

The plaintiff argued that MHS violated HIPAA regulations as well as Federal Trade Commission (FTC) regulations.

It is important to note that the lawsuit did not address specific physical, technical, or administrative safeguards required by HIPAA that MHS failed to implement. The plaintiff argued that the data breach itself provided evidence of insufficiencies “that demonstrate Memorial Health failed to comply with safeguards mandated by HIPAA regulations.”

The suit also alleged that MHS failed to meet the minimum standards of the NIST Cybersecurity Framework Version 1.1 and numerous other frameworks.

In addition, the lawsuit cited Hive ransomware’s reputation for exfiltrating and leaking data as another cause for concern. Hive, along with REvil and Conti, led the Health Sector Cybersecurity Coordination Center’s (HC3) list of the top 10 US ransomware threat actors in Q3 2021.

“HC3 assesses the Hive ransomware operators are likely to continue to target healthcare organizations specifically in the United States while the Vice Society ransomware group are likely to continue to target the health sector both in the United States and abroad,” HC3 said in the brief.

“Furthermore, both the Hive and Vice Society ransomware groups surfaced in June 2021, following a trend of ransomware groups rebranding in attempts to evade law enforcement and takedown efforts. HC3 assesses that this trend is likely to continue, especially as ransomware groups attempt to compromise and extort healthcare entities with ransomware.”

As threat actors shift their tactics and targets to maximize attack volume and scope, healthcare organizations should remain vigilant.