A Growing Trend:
Data Breaches,
Hacking, and Ransomware Infecting the Courtroom
For a very long time I have been waiting for two shoes to drop in the
wake of the cyberwar. One is that eventually
the
Federal Government would have to assert itself in the conflict. Several posts
over many months have discussed the ways Uncle Sam is now
a leading combatant in our 21st century war of attrition.
The other shoe beginning to drop with greater frequency is that
eventually people and entities are demanding compensation for the harms caused them by malware, data breaches,
and ransomware. And thus to the courts they shall go.
More and more individuals and businesses who have been victims of cyberattacks are turning to the courts seeking compensation for their losses of capital; damages to their reputation; and other harms caused by cyberattacks.
The recent wave of data breaches as the MOVEit vulnerability circled the globe starting in May 2023, and is still ongoing, have spawned several class action civil lawsuits. July 17, 2023, FierceHealthcare reported that at least 4 separate class action lawsuits have been filed against "hospital chain HCA Healthcare." HCA was one of the largest entities impacted by MOVEit. As Bleeping Computer reported, July 11, 2023, "on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data." Furthermore, BleepingComputer stated that: "The threat actor claims that the stolen data consists of patient records created between 2021 and 2023." This timeline corresponds with what is known about the progress of the MOVEit attack.
One such lawsuit is GARY SILVERS and RICHARD MAROUS vs. HCA HEALTHCARE, INC., a Tennessee corporation. The central fact asserted here by Plaintiffs is that:
As a result of the Data Breach, which Defendant failed to prevent, the Private Information of patients at hospitals or physician office owned or operated by Defendant, including Plaintiffs and the proposed Class members (“Patients”), were stolen and released including their names, cities, states, zip codes, email addresses, phone numbers, date of birth, gender, and appointment information (patient service date, location, and next appointment date).
The question for both Plaintiffs and Defendants is it, in fact, true that:
Defendant’s failure to safeguard Patients’ highly sensitive Private Information as exposed and unauthorizedly disclosed in the Data Breach violates its common law duty and Defendant’s implied contract with its patients to safeguard their Private Information.
Another large healthcare institution victimized by the MOVEit vulnerability was The Johns Hopkins Health System Corporation. The Maryland teaching hospital was the victim of a MOVEit attack May 31, 2023, according to CBS News.
In the case, "PAMELA HUNTER, et al. vs. THE JOHNS HOPKINS UNIVERSITY and THE JOHNS HOPKINS HEALTH SYSTEM CORPORATION," the key contention made by Plaintiffs' attorneys is:
Johns Hopkins disregarded the rights of Plaintiff and Class Members by intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PHI/PII was safeguarded, failing to take available steps to prevent unauthorized disclosure of data, and failing to follow applicable, required and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.
This argument is similar to that made in the HCA matter. In neither case, as far as my research has shown, none of Defendants' counsels have yet to file an answer to any of the various complaints. Yet, one possible defense might be that, as July 19, 2023, as reported by KonBreifing, 251 separate corporate and governmental entities in the US had fallen victim to the CLOP MOVEit vulnerability. That there was really no defense against MOVEit can be one solid argument to made in all of the Defendants' replies. Or so I think.
Furthermore, another solid defense is the simple fact that the first series of patches from the Progress software were ineffective in stemming the attacks. The patch did not plug the hole. So it does not follow that Defendants must be held liable for the failure by another party — a failure that Defendant's had no control over. It would not be going too far out on a limb for Defendants' counsels to assert that, that given the breadth and depth of these attacks, and that the threat attacker is known to be located in Russia, the MOVEit attack itself can be considered an act of war. Its victims can, therefore, also be considered collateral damage in that war. Damage for which no one entity could rightly be held liable.
A civil suit filed in California in the wake of MOVEit is, "DAVID BERRY and BONNIE GAYLE NG vs PENSION BENEFIT INFORMATION, LLC (doing business as PBI RESEARCH SERVICES); THE BERWYN GROUP, INC." PBI are the administrators of CALPers, the California Teachers Retirement Fund. Plaintiffs Berry and Gayle are beneficiaries in this fund. On June 24, 2023, responding to questioning by BleepingComputer, a PBI spokesperson admitted.
PBI Research Services uses Progress
Software’s MOVEit file transfer application with a number of clients. At
the end of May, Progress Software identified a zero-day vulnerability in
the MOVEit software that was actively being exploited by cyber
criminals.
PBI promptly patched its instance of MOVEit, assembled
a team of cybersecurity and privacy specialists, notified federal law
enforcement and contacted potentially impacted clients.
Another key point made by Plaintiffs is that in May 2023, Defendants "allowed an unauthorized user from a ransomware group to exploit an undetected security flaw in a file transfer system." [Complaint, 6.]
Since the vulnerability was not known until the end of May 2023, and continued unabated throughout June 2023, while multiple software patches by the original vendor were ineffective, it will be difficult for Plaintiffs to prove that Defendants "allowed" the attack to occur. Furthermore, as Cybersecuritydive correctly stated, July 14, 2023, the MOVEit application is fully certified by the relevant governing bodies, and therefore the use of the MOVEit file transfer application is specifically approved for the uses for which Defendants employed the application.
MOVEit is an approved and accredited file-transfer service that meets regulatory compliance requirements for multiple government agencies and highly regulated industries. These auditor and government-backed certifications made it a widely used service for organizations with sensitive data.
Moreover, on the Progress Software website, in a section entitled, "Privacy, Security Standards, and Auditing Requirements," the vendor lists all the ways that Progress maintains and adheres to all its legal requirements, and "answers some questions regarding the expected conformance of MOVEit to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry (PCI), Sarbanes-Oxley (SARBOX) and other regulations." This is current as of July 17, 2023.
In each of these legal cases, Defendants in the lawsuits are being held liable for a series of events that they could not have known about in real time as its data breach had occurred, and as the crime was in the progress of being committed. Plaintiffs are asking courts to hold Defendants liable for the harmful outcomes that impacted disparate groups of individuals, although Defendants themselves can be considered victims of these events. The Defendants should not be considered perpetrators of these same criminal events.
A way to look at this maybe like a multiple vehicle auto accident, where one vehicle is rammed by another, and the first vehicle is pushed into a third. The driver of vehicle #1 has a good and valid defense. Driver of vehicle #2, it can be reasonably argued, in fact, had caused the damages to both vehicles.
So the novel legal arguments in these cases that have arisen over MOVEit, are thus: Can the business entities that were the original victims of the attack be held liable for the harms the attacks caused those same Defendants' customers, both individual and institutions. Indeed, Plaintiffs and Defendants are both victims of the same bad actors.
Well, you serve
me and I'll serve you
Swing your partners, all get screwed
Bring your lawyer and I'll bring mine
Get together and we could have a bad
time
We're going to play the sue
me, sue you blues
— Sue Me, Sue You Blues, George Harrison
¯\_(ツ)_/¯
Gerald Reiff