Hospitals Sue LockBit, Ask Cloud Firm to Return Stolen DataNY Hospital Group Claims Cybercriminals Kept Data on Boston-Based Firm's Servers
A healthcare alliance of two upstate New York hospitals and an orthopedic group has filed a lawsuit against unknown members of the LockBit group. But the suit is a legal maneuver aimed at forcing a Massachusetts-based cloud services vendor to turn over patient data the ransomware gang stole from the hospitals and allegedly stored on the tech firm's servers.
Carthage Area Hospital, Claxton-Hepburn Medical Center and North Country Orthopaedic Group - the members of Carthage, New York-based North Star Health Alliance - on Nov. 29 filed the complaint in St. Lawrence County Court in New York against "John Doe and Jane Doe" - "unknown threat actors" who represented themselves as LockBit.
The lawsuit alleges that the defendants "conspired to carry out the complex cybercrime and movement of stolen assets." The identity of the defendants "is currently unknown, as they have perpetrated the subject scheme in secrecy and utilizing the worldwide web," the lawsuit alleges.
The legal action against the attackers was filed to enable the hospital group to serve a subpoena requiring Boston-based cloud based storage firm Wasabi Technologies to turn over data LockBit claimed to have stolen from the hospital group last summer, which the cybercriminals then allegedly stored on Wasabi's servers, according to court documents.
North Star Health Alliance is seeking injunctive relief to prevent the access, transfer or duplication of the exfiltrated data "and requiring that, after the stolen data is returned to the hospital group, all other copies of the stolen data be destroyed," the complaint says.
The hospitals said they need access to the data to identify and notify individuals whose information was potentially compromised in the incident.
"Upon information and belief, Wasabi has already provided copies of the stolen data to the FBI," the alliance says in its lawsuit.
North Star Health Alliance did not immediately respond to Information Security Media Group's request for comment on the lawsuit.
Wasabi, in a statement to ISMG, said the tech company "is committed to complying with all relevant regulatory requests. It is our policy not to comment on ongoing legal matters."
The lawsuit says the data breach occurred around Aug. 31, when the attacker gained access to the hospital group's IT infrastructure, exfiltrated data and transferred the stolen data to a cloud server owned and operated by Wasabi.
Carthage Area Hospital in a Sept. 6 statement posted on its Facebook page said it had been dealing with a cybersecurity incident that required the North Star Health Alliance members to reschedule a variety of outpatient appointments.
Some experts said the legal case filed by the hospital group brings up important considerations for other technology firms, especially if their services or infrastructures end up being used by cybercriminals for data storage or other illicit activities.
"This raises interesting potential 'aiding and abetting' as well as co-conspirator issues regarding the relationship between the cybercriminal group and the third party," said regulatory attorney Rachel Rose. "This will be an interesting area to watch, especially if a government agency brings a criminal lawsuit."
Mike Hamilton, co-founder and CISO of security firm Critical Insight, said the legal case by North Star Health Alliance spotlights a scenario that other entities could potentially face in the wake of a cyberattack involving data exfiltration.
"The FBI has been using tools to scan the internet for stolen records, and when a domestic service provider is found to be housing such information, a lawsuit seems to be the logical step if the company is at all either intransigent about removal or feels that the request would put that company in a position of liability."
Also, regulations in the finance sector - including those pertaining to cryptocurrency exchanges - require that companies "know their customers," he said. "It is reasonable that this type of requirement is imposed on cloud providers to prevent as much stolen information being housed, hostile scanners and malware distribution running out of domestic data centers, etc."
Dave Bailey, vice president at privacy and security consultancy Clearwater, said the North Star Health Alliance case also highlights potential legal concerns for technology vendors seeking ways to prevent getting unknowingly entangled in cybercrimes committed by their clients.
"Adversaries don’t follow the law, and as a cybercriminal, admitting to malicious intent is highly unlikely," he said. "Even if a storage vendor asked about intentions as part of a liability requirement, relying on criminals to be truthful is challenging," he said.
A good practice for storage vendors would be to inform clients explicitly about potential consequences for malicious activities, Bailey said.
"This involves sharing clear consent and user agreements that outline legal parameters and appropriate uses of their services. Criminals are unlikely to admit malicious use, even if confronted by the FBI," he said. "It is not the responsibility of cloud providers to discern this; the only way to confirm theft is through identification by the owner or notification of theft to law enforcement."