May 1st, 2023

Ransom demands, recovery times, payments and breach lawsuits all on the rise

By Jessica Davis

Healthcare data breach lawsuits were filed last week against 90 Degree Benefits, CommonSpirit, and OneBrooklyn Health. The three legal filings reflect a broader trend of the growing impact of cybercrime and ransomware across all industries, like healthcare.

Released on April 28, BakerHostetler’s annual data security incident response report shows ransom demands, payments, recovery times, and data breach lawsuits are on the rise in most sectors, including cases tied to the use of pixels within the healthcare environment.

“In 2022, we saw increases in average ransom demands, average ransom payments, and average recovery times in most industries,” the report authors wrote. “The lull in ransomware that marked the start of the year is over. Ransomware groups have resumed attacks, and organizations must redouble their efforts to defend themselves against increasing attacks.”

BakerHostetlet’s Digital Assets and Data Management examined over 1,160 incidents from 2022. While many organizations have bolstered security and resilience, the data shows that threat actors continue to adapt and find footholds onto the network through evasive malware, social engineering, “multi-factor authentication bombing”, and credential stuffing.

Although these newer tactics have been successful, network intrusions remain the most common type of incident, brought on by phishing and exploiting unpatched vulnerabilities, among other methods.

The data confirms what researchers have been alerting to for the last few years: threat actors will find a way and most entities are not keeping pace. What’s alarming is just how big an impact these attacks are having on critical infrastructure entities.

The cost anatomy of a cyberattack

The average time to recover from ransomware rose in nearly every sector, “and in most cases, significantly.” In 2021, the average recovery time for all sectors was just over a week. Last year, the retail, restaurant, and hospitality sectors saw an increase in the average recovery time from 7.8 days in 2021 to 14.9 days in 2022, or a 91% increase.

Healthcare saw a 69% rise in the length of recovery, followed by a 54% uptick for the energy and technology sectors, and 46% in the government industry segments.

These increases mirrored a spike in ransom demands in 6 out of 8 industries, with an average payment of $600,688. In addition to ransom demands, companies are facing greater forensic investigation costs, which data shows are up 30% from last year on average when tied to network intrusion incidents. And those fees don’t include lost business or data review costs.

While finance and insurance, business and professional services, and the retail, restaurant, and hospitality industries saw decreases in the average and median costs from 2021 numbers, the government, energy and technology sectors faced higher averages and lower medians.

The report noted this reflects “a general decrease in costs for most clients but offset by some significant ransomware matters for certain clients.”

What’s more, healthcare and manufacturing entities were hit with large increases of both the average and median price tags for forensic investigations last year. On average, the 20 largest network intrusions rose 24% in the last year, from $445,926 to $550,987 in 2022.

Triple extortion? Breach notices lead to spike in lawsuits

As SC Media reported, healthcare entities are more commonly facing data breach lawsuits soon after reporting a breach. In 2021, those breach lawsuits were typically filed after incidents impacting more than 50,000 patients.

Even after the practice was deemed modern-day ambulance chasing, the new BakerHostetler data shows that not only has the rate of breach lawsuits rapidly expanded, a greater number are being filed over incidents impacting as few as 10,000 individuals.

The data confirms that “lawsuits nearly doubled year over year. No longer are only the ‘big breaches’ capturing attention.” Of the 494 incidents with an issued notification in 2022, 42 resulted in one or more lawsuits. Twelve of those were filed in incidents impacting 10,000 to 100,000 individuals and 13 of which were filed after notices to 100,000 to 500,000 people.

After continued debate around the contentious topic, class certification in data breach litigation has yet to be determined. Multiple lawsuits have failed to see their lawsuit certified as a class action. Most recently, a judge refused to certify a class in a lawsuit against CareFirst, for example, as some breach victims did not provide evidence of harm.

The citing of actual harm in this, and cases from 2021, should be viewed as wins for healthcare entities facing similar suits, in light of continued rise in similar cases and the rate of legal filings  after the disclosure of security incidents.

On the flip side, privacy lawsuits are also on the rise, including those tied to the use of pixel tech — brought on by the Supreme Court ruling to overturn the constitutional right to an abortion — and concerns that tracking tools may heighten legal risks for women seeking reproductive care. The Department of Health and Human Services and the FTC are also working to better regulate this space, while state regulators are also cracking down on privacy and security violations.

As regulators keep privacy violations in focus, HHS seeks to bolster HIPAA, and ransomware actors continue to evolve, entities should review these cost risks and adapt accordingly.