Escalation in Class Action Lawsuits After Healthcare Data Breaches

The law agency BakerHostetler has publicized its 8th Annual Data Security Incident Response (DSIR) Report, which gives information based upon 1,270 data security incidents handled by the agency in 2021. 23% of those occurrences involved data security incidents at healthcare companies, which was the most attacked industry.

Ransomware Attacks Grew in 2021

Ransomware attacks have continued happening at heightened levels. 37% of all data security occurrences dealt with by the company in 2021 were ransomware attacks in comparison to 27% in 2020. Attacks on healthcare institutions grew significantly year over year. 35% of healthcare security breaches addressed by BakerHostetler in 2021 used ransomware, which increased by 20% in 2022.

Ransom demands and payments dropped in 2021. In medical care, the average first ransom demand was $8,329,520 and the average ransom payment was $875,784 which is about two-thirds of the amount given in 2020. Recovery of files was 6.1 days subsequent to ransom payment, and in 97% of incidents, data was restored soon after ransom payment.

Data exfiltration is currently the norm in ransomware attacks. As per BakerHostetler, 82% of the ransomware attacks in 2021 involved the exfiltration of data files by the threat actors before encrypting data. In 73% of those events, proof of information theft was found, and 81% demanded sending notifications to affected individuals. The average and median number of notification letters were 81,679 and 1,002, respectively.

The risk of the compromise of stolen data prompted numerous businesses to give the ransom. 33% of victims paid the ransom money although they had recovered files to some extent from backup copies and 24% gave ransom payment even when they had completely recovered files from backup files.

There was furthermore a rise in business email compromise (BEC) attacks. Although detection became better eventually, the number of companies that needed to give notifications concerning the incident to people and regulators went up, going from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are Prevalent, Even for Smaller Data Occurrences

Nowadays, it is more usual for companies to deal with class-action lawsuits after data security incidents. Though class-action lawsuits seemed to just be submitted for big data occurrences, it is now significantly usual for smaller data breaches to also end in legal cases. In 2021, 23 exposed data incidents led to the filing of lawsuits, 2020 only had 20. 11 of the legal cases were associated with data incidents affecting the information of fewer than 700,000 persons, with 3 lawsuits filed regarding incidents that impacted less than 8,000 people.

BakerHostetler found a pattern in 2021 for the processing of multiple class-action lawsuits right after a data incident. Over 58 lawsuits were filed linked to the 23 occurrences, and 43 of the legal cases concerned data breaches at healthcare providers.

OCR is Seeking Facts of “Recognized Security Practices”

2021 had great numbers of data breaches announced by healthcare companies. There were 714 incidents submitted to the HHS’ Office for Civil Rights in 2021 in comparison to 663 in 2020. Increased data breaches were complained to the Department of Justice and investigated potential criminal wrongdoing than in past years.

In 2021, there was a change to the HITECH Act to insert a HIPAA Safe Harbor for businesses that have implemented accepted security practices for no less than 12 months prior to a data breach happening. BakerHostetler mentioned that from the 40 OCR investigations of companies that it worked with, OCR repeatedly inquired about the recognized security practices that were set up in the one year before the incident took place. BakerHostetler ardently advises businesses to look at their security procedures and be sure they complement the definition of “recognized security practices” specified in the HITECH modification, and to take into consideration more investments in cybersecurity to fulfill that definition when their security strategies do not satisfy what is demanded.