A New Twist in the Ransomware Debate: Is it Negligent to Fail to Pay Ransom?

May 12, 2023

Lehigh Valley Health Network (LVHN) is a healthcare network based in Allentown, Pennsylvania, and serves eastern and northeastern Pennsylvania. On Feb. 6th of this year, LVHN was hit with a combination ransomware and extortionware attack, whereby attackers from the hacker group ALPHV (aka BlackCat) obtained sensitive medical photographs of LVHN patients and threatened to release these “nudes” unless LVHN paid the demanded ransom. LVHN did not pay, and some of the nude pictures of approximately 2,760 patients were then released to the public. The patients sued the hospital network for negligence.

The HIPAA Security Rule

On May 5th, counsel for the hospital chain filed a motion to dismiss with the federal court in the Middle District of Pennsylvania, alleging first that the mere fact that the hospital was successfully attacked, and data stolen from them (data that they had a legal obligation to protect) did not mean that the hospital was negligent in any way in the protection of the data. While the HIPAA security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a HIPAA-covered entity like LVHN, the mere fact of a data breach does not mean that the security rule was violated.

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronically protected health information, but it is not intended to create an absolute guarantee of privacy or security. LVHN asked that the civil suit be dismissed because it failed to allege specific things that the provider failed to do that would have been reasonable. Rather, the complaint alleged that LVHN had a duty to protect the patients’ data, and that they failed in that duty. In fact, in the Heartland Payment data-breach case, the court found that:

“[T]he fact that a company suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”

The court concluded that the company may have done all the right things for security, but that it was simply “overwhelmed.” In other words, a data breach does not always mean data security failure.

Is it Negligent to Not Pay Ransom?

A more interesting issue is the implied claim that LVHN’s refusal to pay the ransom was itself a negligent decision, and that this refusal was what led to the public dissemination of the nude pictures. If LVHN had paid the ransom, the argument goes, the hackers would not have released the pictures and therefore LVHN had a legally cognizable duty to pay the money.

There’s some intellectual and emotional appeal to this argument. If there is a ransom demand for $200 or your data will be released, or your dog kidnapped, and you refuse to pay the ransom, and some party suffers millions of dollars in damages, one could argue that the decision not to pay was irrational and unsupported, and therefore that it was in some way “negligent.” Of course, this presupposes that you are working with “honest” thieves, and that paying the ransom would have reasonably resulted in the bad result having been avoided – a difficult thing to prove.

Moreover, the payment of ransom, while not exactly “illegal,” is heavily discouraged. In fact, the FBI has published statements and advice noting that it does not support paying a ransom in response to a ransomware attack. LVHN’s lawyers point out in their brief in support of their motion to dismiss that:

“LVHN’s refusal to pay BlackCat’s exorbitant ransom demand cannot give rise to a claim. Plaintiff points to no duty that would require LVHN to pay a ransom to a Russian criminal gang in contravention of guidance from law enforcement.”

There’s an old Jack Benny routine where a robber points a gun at Benny and demands, “your money or your life.” Benny hesitates and remarks, “I’m thinking, I’m thinking…” There are times when, at least in theory, paying ransom is the “reasonable” thing to do (depending on many factors). If one does not pay the ransom in those circumstances, it is possible that you have acted “unreasonably.” It’s a stretch, but possible.

Document What You’re Doing and Why You’re Doing It

This reinforces one of the main principles in incident response. It’s important not only to document what you do, but also why you are doing it. Know what your objectives are starting out, and what the best ways there are to achieve them and remain flexible in your approach. You don’t have to make perfect decisions, or even the best decisions, but your decisions should be reasonable. If that decision is to pay ransom, document why. If the decision is to not pay, have an explanation for that decision as well. And remember, making no decision is a decision as well.

For further information regarding your cyber security, please contact KJK’s Cyber Security, Data Breach and Privacy Chair, Mark Rasch (MDR@kjk.com; 301.547.6925) or another member within the practice group.