Hackers are increasingly attempting to extort patients directly as health systems bolster their cyber defenses, Bloomberg Law reported Jan. 22.
In recent months, cybercriminals have tried blackmailing patients via email after stealing their data from such health systems as Seattle-based Fred Hutchinson Cancer Center and Oklahoma City-based Integris Health.
As healthcare ransomware attacks have become less bounteous for cybercriminals — fewer companies across all sectors paid ransom in 2023 — they are turning to new methods of making money off hacks, according to the story. Sometimes it's an attempt to pressure health systems into paying ransom.
"There is a shift in the efficacy of ransomware because the companies have gotten more sophisticated, so the old way of encrypting and demanding payments to get access to your data is not as viable," Shoba Pillay, a former federal cybercriminal prosecutor and co-chair of Jenner & Block LLP's privacy and cybersecurity division, told the news outlet.
Patients have in turn been suing the health systems, sometimes claiming they found out their data had been compromised from the hackers themselves.
"If there is any indicator that the victims themselves, the consumers, are going to be contacted by these gangs," healthcare organizations should notify their patients first, Mike Hamilton, founder of cybersecurity company Critical Insight and former chief information security officer for the city of Seattle, told Bloomberg Law. "The failure to do that is probably going to end up — just like everything else does — in some kind of class-action lawsuit."