Failure to Pay Ransom: Negligence?
Lehigh Valley Health Network is a health care network based in Allentown, Pennsylvania that serves the eastern and northeastern part of the state. On February 6, 2023, LVHN was hit with a combination ransomware/extortionware attack. Attackers from the hacker group ALPHV (aka BlackCat) obtained sensitive medical photographs of LVHN patients and threatened to release these “nudes” unless LVHN paid the demanded ransom. LVHN did not pay, and some of the nude pictures of some of the approximately 2,760 patients were then released to the public. The patients sued the hospital network for negligence.
On May 5, 2023, counsel for the hospital chain filed a motion to dismiss with the federal court in the middle district of Pennsylvania, alleging first that the mere fact that the hospital was successfully attacked and data stolen from them (data that they had a legal obligation to protect) did not mean that the hospital was negligent in any way in the protection of the data. While the HIPAA security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a HIPAA-covered entity like LVHN, the mere fact of a data breach does not mean that the security rule was violated. The security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronically protected health information, but it is not intended to create an absolute guarantee of privacy or security. LVHN asked that the civil suit be dismissed because it failed to allege specific things that the provider failed to do that would have been reasonable. Rather, the complaint alleged that LVHN had a duty to protect the patients’ data and that they failed in that duty. In fact, in the Heartland Payment data breach case, the court found that “[t]he fact that a company [] suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.” The court concluded that the company may have done all the right things with regard to security, but that it was simply “overwhelmed.” In other words, a data breach does not always mean data security failure.
A Negligent Decision?
A more interesting issue is the implied claim that LVHN’s refusal to pay the ransom was itself a negligent decision and that this refusal was what led to the public dissemination of the nude pictures. If LVHN had paid the ransom, the argument goes, the hackers would not have released the pictures and, therefore, LVHN had a legally cognizable duty to PTFM (pay the [F is silent] money).
There’s some intellectual and emotional appeal to this argument. If there is a ransom demand for $200 or your data will be released, or your dog kidnapped, and you refuse to pay the ransom and some party suffers millions of dollars in damages, one could argue that the decision not to pay was irrational and unsupported and, therefore, that it was in some way “negligent.” Of course, this presupposes that you are working with “honest” thieves and that paying the ransom would have reasonably resulted in avoidance of the bad result—a difficult thing to prove.
Moreover, the payment of ransom, while not exactly illegal, is heavily discouraged: “The FBI does not support paying a ransom in response to a ransomware attack.” LVHNs lawyers pointed out in their brief in support of their motion to dismiss that “LVHN’s refusal to pay BlackCat’s exorbitant ransom demand cannot give rise to a claim. Plaintiff points to no duty that would require LVHN to pay a ransom to a Russian criminal gang in contravention of guidance from law enforcement.”
There’s an old Jack Benny routine where a robber points a gun at Benny and demands, “Your money or your life.” Benny hesitates and remarks, “I’m thinking, I’m thinking…” There are times when, at least in theory, paying the ransom is the “reasonable” thing to do (depending on many factors). If one does NOT pay the ransom in those circumstances, it is possible that you have acted “unreasonably.” It’s a stretch, but possible.
Document the Why
This reinforces one of the main principles of incident response. It is important not only to document what you do, but also why you are doing it. Know what your objectives are starting out, what the best ways are to achieve them and remain flexible in your approach. You don’t have to make perfect decisions or even the best decisions, but your decisions should be reasonable. If that decision is to pay the ransom, document why. If the decision is to not pay, have an explanation for that decision as well. And remember, making no decision is a decision as well.
