Hacking Hospital Systems
Quick legal framework (why hospital hacks are different)
CFAA (Computer Fraud and Abuse Act) — federal criminal statute often used to prosecute unauthorized access to computer systems. Key questions: what counts as “access without authorization” or “exceeding authorized access” (this has been the subject of much litigation).
HIPAA (Health Insurance Portability and Accountability Act) — civil regulatory regime enforced by HHS Office for Civil Rights (OCR). HIPAA doesn’t criminalize hacking per se, but covered entities must protect PHI (protected health information); OCR can impose corrective actions and multi‑million dollar settlements for failures to secure PHI or to respond properly to breaches.
State data‑breach and consumer‑protection laws — lead to private suits and state AG enforcement (negligence, unfair practices, breach of implied contract).
Tort law (negligence, negligent infliction of emotional distress, invasion of privacy) — plaintiffs often sue hospitals after breaches for harm, costs, and anxiety. Courts differ on whether risk of future identity theft and anxiety constitutes concrete injury (standing).
Criminal prosecutions under CFAA, identity‑theft statutes, or wire fraud statutes may follow where attackers are identified.
Standing & Article III constraints — Supreme Court and appellate decisions (e.g., Spokeo) have tightened standing rules in data‑breach suits; plaintiffs must show a concrete, particularized injury, not only a theoretical risk.
Case / Enforcement 1 — Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) — standing doctrine that affects all data‑breach suits
Facts / procedural posture: Plaintiff sued Spokeo for publishing inaccurate employment‑related information; the Supreme Court considered whether a statutory violation alone is enough for Article III standing.
Holding / rule: The Supreme Court held that a bare statutory violation is not always a concrete injury for Article III purposes; courts must decide whether the intangible harm alleged is “concrete” (either historically recognized or sufficiently real). The case sent the issue back to lower courts for application.
Why it matters for hospitals: After Spokeo, many data‑breach claims (including suits against hospitals and health plans) require plaintiffs to show a real, tangible injury (e.g., financial loss, misuse of data, fraudulent charges, or specific identity‑theft incidents) rather than mere risk alone. This has shaped how class actions over hospital breaches can proceed — plaintiffs often must plead or demonstrate actual misuse of PHI or out‑of‑pocket loss to survive motions to dismiss.
Case 2 — Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) — risk-of-future-harm standing
Facts: After a large retailer data breach, customers sued for injuries from the theft of their payment card data.
Holding / rule: The Seventh Circuit held that customers had Article III standing because the theft and the subsequent risk of identity theft were concrete injuries — the “near certainty” of misuse or the real risk of future harm can be enough at the pleading stage.
Why it matters for hospitals: Remijas represents the more permissive view that risk and necessary remediation costs (card replacement, credit monitoring) can be sufficient to establish standing. Courts across jurisdictions split between Remijas and more stringent outcomes after Spokeo. For hospital breaches, that split determines whether large class actions can get past dismissal.
Case 3 — United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (and later Ninth Circuit developments) — limits on “exceeding authorized access” under CFAA
Facts: Defendant recruited former employees to use existing credentials to access a database and transmit information to a competitor. Prosecution invoked the CFAA.
Holding / rule: The Ninth Circuit rejected an overly broad reading of the CFAA that would criminalize many routine violations of employer computer policies. The court held that the CFAA does not reach merely using authorized access for an improper purpose (i.e., “exceeding authorized access” cannot be read to criminalize policy violations).
Why it matters for hospitals: Nosal narrows the scope of criminal liability when insiders misuse credentials; it forces prosecutors to show truly unauthorized access or code‑level bypasses. For healthcare institutions, this distinction matters when deciding whether to pursue administrative discipline/ civil suits vs. referring matters for criminal prosecution under the CFAA.
Enforcement Action — HHS OCR: Memorial Healthcare System resolution (OCR enforcement) — OCR’s authority under HIPAA
Facts / summary: OCR investigated a breach involving insecure devices (e.g., lost/stolen laptops) and found multiple HIPAA violations including failure to perform risk analysis and failure to implement sufficient encryption and device controls.
Outcome: OCR required corrective action plans, monitoring, and a monetary resolution plus systemic changes (large settlement).
Why it matters for hospitals: OCR’s enforcement emphasizes administrative and technical safeguards (risk analysis, encryption, policies, workforce training). Even if a breach results from criminal hacking by outsiders, OCR focuses on whether the covered entity met HIPAA’s security requirements. Hospitals that fail to do basic risk assessment and implement controls can face large penalties and long corrective programs.
(Note: OCR has brought multiple such enforcement actions — the principle is: technical security failures lead to HIPAA investigations and substantial remediation and penalties.)
Case / Litigation 4 — In re Anthem, Inc. Data Breach Litigation (MDL, multi‑district litigation following 2015 breach)
Facts: In 2015, Anthem (a major health insurer) announced a breach exposing tens of millions of records (names, SSNs and other PHI). Plaintiffs filed multiple actions consolidated as an MDL.
Legal issues and rulings: Plaintiffs alleged negligence, breach of implied contract, and statutory claims. The litigation raised classic issues: standing (do plaintiffs have a concrete injury?), adequacy of data security practices, and whether Anthem’s disclosures and remediation were sufficient.
Outcome: Anthem agreed to a large settlement (reported in the industry as roughly nine‑figure scale when combining class settlements and OCR matters), and Anthem also entered into an OCR resolution agreement addressing HIPAA compliance.
Why it matters for hospitals: Anthem’s case shows combined civil, class‑action, and regulatory consequences when health data are exposed — hospitals and health plans face liability exposure in multiple forums. Settlements in large health‑data MDLs can be substantial and carry injunctive and compliance commitments.
Enforcement / Litigation 5 — FTC v. LabMD, Inc. (FTC administrative action over data security practices)
Facts: The FTC alleged that LabMD’s lax data‑security practices exposed patient data and that the company’s failures constituted unfair and deceptive acts in violation of FTC Act §5. The FTC sought to order LabMD to implement a comprehensive security program.
Procedure / outcome: The LabMD matter saw protracted administrative litigation. The case is notable for raising limits on FTC authority and evidentiary issues in data‑security enforcement; after years of litigation, the FTC’s enforcement efforts faced significant pushback.
Why it matters for hospitals: While HIPAA is the dominant regulatory tool in healthcare, the FTC has used consumer‑protection authority to pursue healthcare entities that are not “covered entities” under HIPAA or whose conduct also implicates consumer deception and unfair practices. The LabMD saga signaled both the FTC’s interest in data security and the evidentiary and procedural hurdles for regulators.
Case 6 (example of consequences of ransomware disruptions) — Civil & regulatory fallout from major ransomware outages (e.g., Universal Health Services, MedStar, NHS/WannaCry)
Facts: Several high‑profile ransomware attacks disrupted hospital operations (e.g., MedStar, Universal Health Services, and the UK NHS during WannaCry). These were not always resolved in criminal courts; instead they generated civil suits, state investigations, insurance claims, and regulatory scrutiny.
Legal consequences and lessons:
Criminal prosecution of the attackers is often difficult due to attribution and international challenges.
However, hospitals face regulatory scrutiny (OCR investigations for HIPAA noncompliance), malpractice/operational liability claims if the attack caused patient harm, and contractual disputes with vendors.
Insurers and hospital counsel must assess whether downtime caused compensable injuries; plaintiffs sometimes bring suits alleging negligence or loss of access to care. Regulators look at pre‑incident risk assessments and incident response plans.
Why it matters for hospitals: Ransomware illustrates that the legal fallout is often regulatory + civil rather than purely criminal, emphasizing the importance of pre‑incident preparedness and documentation of risk management.
Practical legal takeaways (what courts and regulators emphasize)
Documented risk analysis and remediation — OCR and courts look for documented risk assessments, timely remediation, encryption where feasible, and workforce training. Lack of documentation often drives enforcement.
Standing matters — litigate early — after Spokeo, motions to dismiss challenging standing are powerful; hospitals defending suits should test whether plaintiffs have alleged concrete injury. Plaintiffs will try to show mitigation costs, fraudulent transactions, or identity theft to survive.
CFAA prosecutions require clear unauthorized access — when conduct is merely using valid credentials for improper purposes, CFAA liability is not automatic (see Nosal). Criminal referrals succeed best where attackers bypass protections or use hacking tools and exploits.
Multi‑front exposure — a breach can trigger civil class actions, state AG investigations, OCR HIPAA enforcement, and contract/insurance claims simultaneously. Settlement often includes both money and injunctive reforms.
Ransom payments and insurance — paying ransom may have regulatory and legal implications (including possible sanctions if payment would violate sanctions laws); cyber‑insurance plays a major role in settlements and remediation.
Vendor management and supply chain — courts and regulators examine contractual allocation of responsibility with EHR vendors, cloud providers, and managed services.
Short, concrete list of cases/actions covered
Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) — standing for statutory injuries.
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) — risk of future identity theft can support standing.
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) — limits on CFAA “exceeds authorized access.”
In re Anthem, Inc. Data Breach Litigation (MDL following 2015 breach) — large MDL settlement + OCR resolution; regulatory + civil consequences for health data breaches.
HHS OCR enforcement actions (e.g., Memorial Healthcare System OCR resolution) — HIPAA enforcement produces large monetary and corrective commitments.
FTC v. LabMD (administrative litigation) — shows FTC interest and limits in data‑security enforcement.
Plus discussion of ransomware incidents (e.g., UHS, MedStar, NHS/WannaCry) and their civil/regulatory impacts.
Final practical recommendations for hospitals and counsel (legal‑oriented, not technical exploit guidance)
Perform and document a thorough HIPAA risk assessment and tie remediation to prioritized vulnerabilities. Documentation matters in OCR defense and civil litigation.
Incident response plan + legal hold: ensure legal is looped in immediately for notification obligations, evidence preservation, and to evaluate breach reporting deadlines (HIPAA/HITECH, state laws).
Vendor contracts: allocate breach responsibilities and require security standards and audit rights for EHR and cloud vendors.
Cyber insurance + counsel coordination: pre‑negotiated counsel and clear understanding of policy requirements will speed remediation and reduce litigation exposure.
Patient notifications & remediation: timely, transparent notification and reasonable remediation (credit monitoring where appropriate) can mitigate class certification and damages.
Consider civil claims vs. criminal referral: if insider misuse is suspected, evaluate whether facts support a CFAA criminal referral (requires showing unauthorized access) vs. internal discipline and civil remedies.
RELATED Blog
0 comments