Posts

Showing posts with the label ransomware

Ransomware: What You Need to Know as Attacks, Regulation and Enforcement Increase

Executive Summary What’s new.  As the frequency and sophistication of ransomware attacks increase, corporate responses to these incidents are subject to ever-growing regulation, and enforcement actions are becoming more frequent. Why it matters.  Businesses that are victims of a ransom attack face new regulatory risks and heightened scrutiny over their response processes, on top of potential operational damage and reputational harm. What to do now.  Organizations can mitigate legal and regulatory risks by ensuring incident response, escalation and notification protocols are thorough, up to date and well documented, and by engaging experienced legal counsel and cybersecurity advisers in advance of any incident. __________ Ransomware attacks continue to evolve in sophistication, disrupting operations and commanding the urgent attention of regulators, law enforcement and government agencies. Organizations victimized in these incidents now face not only the immediate operatio...

Ransomware Reality Check: Why Not Every Data Breach Creates Standing

At MVA, we often help clients who are victims of cyber incidents where threat actors take data and threaten to release it unless they are paid. With ransomware attacks and data exfiltration common, companies face mounting pressure to assess litigation risk after a breach, and understanding the legal landscape is critical. Recent rulings from both federal and state courts underscore a key point: not every breach translates into standing for every affected individual. In our 2017  DataPoints  piece on  Beck v. McDonald , we explored how the Fourth Circuit set a reasonable bar for standing in data breach cases. That precedent continues to shape outcomes today, including a recent decision from the Fourth Circuit and a November 18 th  decision from a state court of appeals reinforcing the principle that speculative harm is not enough for standing. The Fourth Circuit in  Holmes v. Elephant Insurance Co.  and the Wisconsin Court of Appeals in  Bauer v. Fincan...

OCR’s Risk Analysis Initiative: Lessons From Recent HIPAA Enforcement Actions

Health care organizations are under pressure to shore up their cybersecurity response efforts. Much of this pressure is coming from the  US  Department of Health and Human Services Office for Civil Rights ( OCR ) , which has made clear through recent enforcement actions that conducting a proper risk assessment under the Health Insurance Portability and Accountability Act ( HIPAA ) Security Rule is not optional. These enforcement actions ratcheted up during the Biden Administration and have continued during the Trump Administration, signaling that risk analysis remains a top compliance priority for organizations charged with complying with HIPAA. HIPAA’s Risk Assessment Requirement and Why It Matters Under the HIPAA Security Rule (as codified in 45 C.F.R. § 164.308), all HIPAA covered health care providers, health plans, health care clearinghouses (covered entities), and their business associates (collectively, regulated entities) must “[c]onduct an accurate and thorough a...

A Ghost Stole my Data!

  They appeared . They  caused a fright . And then they  disappeared… along with all of your data. While not  a ghost , that is how most hacking groups operate and their ghostly presence is growing across the globe. Rapid7 , a leading cyber security solutions provider, reported  that there were  more than 2,500 ransomware attacks in the first six months of 2024 – more than 14 publicly reported attacks a day – and that does not account for unreported attacks (which we know happens frequently) . So, how do you protect yourself from being the next victim of these ghostly attacks? First , back up that data! We’ll be the first to admit that the frequency and quality of your backups play little role in  whether  you suffer a cyber-attack. However, the quality of your data backups can certainly mitigate the  impact of  that attack. The more frequently you back up your data, on a separate server not connected or accessible from your main system...

OCR Settles Fourth Ransomware Investigation

  The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a   settlement   with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them. This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “ Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.” The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack. The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still ...