Cybercrime , Fraud Management & Cybercrime , Healthcare

Hospitals Sue LockBit, Ask Cloud Firm to Return Stolen Data

NY Hospital Group Claims Cybercriminals Kept Data on Boston-Based Firm's Servers
Hospitals Sue LockBit, Ask Cloud Firm to Return Stolen Data
Carthage Area Hospital, Claxton-Hepburn Medical Center and North Country Orthopaedic Group are trying to subpoena a cloud-based tech firm to return data allegedly stolen by LockBit attackers. (Image: Carthage Area Hospital)

A healthcare alliance of two upstate New York hospitals and an orthopedic group has filed a lawsuit against unknown members of the LockBit group. But the suit is a legal maneuver aimed at forcing a Massachusetts-based cloud services vendor to turn over patient data the ransomware gang stole from the hospitals and allegedly stored on the tech firm's servers.

See Also: Using the Netskope HIPAA Mapping Guide

Carthage Area Hospital, Claxton-Hepburn Medical Center and North Country Orthopaedic Group - the members of Carthage, New York-based North Star Health Alliance - on Nov. 29 filed the complaint in St. Lawrence County Court in New York against "John Doe and Jane Doe" - "unknown threat actors" who represented themselves as LockBit.

The lawsuit alleges that the defendants "conspired to carry out the complex cybercrime and movement of stolen assets." The identity of the defendants "is currently unknown, as they have perpetrated the subject scheme in secrecy and utilizing the worldwide web," the lawsuit alleges.

The legal action against the attackers was filed to enable the hospital group to serve a subpoena requiring Boston-based cloud based storage firm Wasabi Technologies to turn over data LockBit claimed to have stolen from the hospital group last summer, which the cybercriminals then allegedly stored on Wasabi's servers, according to court documents.

North Star Health Alliance is seeking injunctive relief to prevent the access, transfer or duplication of the exfiltrated data "and requiring that, after the stolen data is returned to the hospital group, all other copies of the stolen data be destroyed," the complaint says.

The hospitals said they need access to the data to identify and notify individuals whose information was potentially compromised in the incident.

"Upon information and belief, Wasabi has already provided copies of the stolen data to the FBI," the alliance says in its lawsuit.

North Star Health Alliance did not immediately respond to Information Security Media Group's request for comment on the lawsuit.

Wasabi, in a statement to ISMG, said the tech company "is committed to complying with all relevant regulatory requests. It is our policy not to comment on ongoing legal matters."

The lawsuit says the data breach occurred around Aug. 31, when the attacker gained access to the hospital group's IT infrastructure, exfiltrated data and transferred the stolen data to a cloud server owned and operated by Wasabi.

Carthage Area Hospital in a Sept. 6 statement posted on its Facebook page said it had been dealing with a cybersecurity incident that required the North Star Health Alliance members to reschedule a variety of outpatient appointments.

Critical Considerations

Some experts said the legal case filed by the hospital group brings up important considerations for other technology firms, especially if their services or infrastructures end up being used by cybercriminals for data storage or other illicit activities.

"This raises interesting potential 'aiding and abetting' as well as co-conspirator issues regarding the relationship between the cybercriminal group and the third party," said regulatory attorney Rachel Rose. "This will be an interesting area to watch, especially if a government agency brings a criminal lawsuit."

Mike Hamilton, co-founder and CISO of security firm Critical Insight, said the legal case by North Star Health Alliance spotlights a scenario that other entities could potentially face in the wake of a cyberattack involving data exfiltration.

"The FBI has been using tools to scan the internet for stolen records, and when a domestic service provider is found to be housing such information, a lawsuit seems to be the logical step if the company is at all either intransigent about removal or feels that the request would put that company in a position of liability."

Also, regulations in the finance sector - including those pertaining to cryptocurrency exchanges - require that companies "know their customers," he said. "It is reasonable that this type of requirement is imposed on cloud providers to prevent as much stolen information being housed, hostile scanners and malware distribution running out of domestic data centers, etc."

Dave Bailey, vice president at privacy and security consultancy Clearwater, said the North Star Health Alliance case also highlights potential legal concerns for technology vendors seeking ways to prevent getting unknowingly entangled in cybercrimes committed by their clients.

"Adversaries don’t follow the law, and as a cybercriminal, admitting to malicious intent is highly unlikely," he said. "Even if a storage vendor asked about intentions as part of a liability requirement, relying on criminals to be truthful is challenging," he said.

A good practice for storage vendors would be to inform clients explicitly about potential consequences for malicious activities, Bailey said.

"This involves sharing clear consent and user agreements that outline legal parameters and appropriate uses of their services. Criminals are unlikely to admit malicious use, even if confronted by the FBI," he said. "It is not the responsibility of cloud providers to discern this; the only way to confirm theft is through identification by the owner or notification of theft to law enforcement."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.