In a legal pile-on that has grown to at least seven class action lawsuits, patients of the Johns Hopkins University and Health System have accused the Baltimore institution of failing to protect their personal data from theft by Russian cybercriminals.
But cybersecurity experts told The Banner that Hopkins is a minor player in a massive data breach to which it could have fallen victim even if it had done everything right.
The hackers who stole Johns Hopkins patient data infiltrated a popular file transfer program called MOVEit, impacting at least 670 organizations worldwide and stealing the data of 46 million customers, employees and students.
Those exposed through Hopkins number around 300,000. The institution has said that while stolen data may have included sensitive personal and financial information, medical records were not compromised.
“You could have the best cybersecurity software in the world and the best processes and people and do all the right things,” and still be vulnerable to this type of attack, said Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County and director of its graduate program. That’s often because organizations must use third-party platforms such as MOVEit to efficiently execute basic functions — like transferring files — and lack the same visibility into that software that they maintain with their own systems, Forno said.
These programs run “as a trusted resource inside the secure cyber perimeter“ of an organization, he said, but “there is a point where they don’t have control over that part of their IT environment.”
MOVEit was indeed a trusted program widely used by large and well-known organizations across public and private sectors, with finance, tech and health care industries hit hardest by the breach. The companies affected include commercial giants such as Shell and American Airlines, government agencies like the U.S. Department of Energy, and other large health care organizations like Houston-based Harris Health System.
MOVEit was developed by Massachusetts-based Progress Software, named as co-defendant in three of the lawsuits against Hopkins and several others. The developer touted MOVEit’s compliance with all industry and regulatory standards, including the Health Insurance Portability and Accountability Act, or HIPAA, on its website. That seemingly robust security may be why government agencies were comfortable using MOVEit, said Ido Sivan-Sevilla, assistant professor at the College of Information Studies at University of Maryland, who was involved in designing cybersecurity regulations for the Israeli government.
Leading information security at an institution like Johns Hopkins is “an impossible job that works like a fire department trying to just throw water on fires all over the place,” Sivan-Sevilla said. The use of an accredited, secure and “hopefully carefully deployed” software program within the larger IT system can save limited resources, he said.
But the same third-party programs that function as “critical infrastructure” for institutions can be paydirt for hackers, allowing them to “put a foot in the door across hundreds of organizations” and capture the data of millions, Sivan-Sevilla said.
Software vendors also face zero liability if their products cause damage, which offers no recourse for the companies that use them. Policymakers have shied away from regulating the software industry in order to incentivize companies like Apple and Microsoft to engage in rapid innovation, Sivan-Sevilla said, and while this has certainly worked, it comes at a price.
“Those who face the music are the organizations that adopt those tools,” he said.
A legal firestorm
The newest lawsuit against Hopkins, filed Aug. 11, names Maine resident Phyllis Riffey as plaintiff and appears nearly identical to the other six. It says Hopkins’ “impermissibly inadequate” data security systems show “willful and conscious disregard for privacy,” but offers no examples of the alleged inadequacies.
For the lawsuits to succeed, they would have to prove that Hopkins neglected to establish and carry out cybersecurity measures consistent with health care industry standards, said Benjamin Yelin, an attorney who is program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security and co-host of the cybersecurity-focused podcast “Caveat.”
But the biggest obstacle for the plaintiffs may be getting their case heard at all, Yelin said.
They must demonstrate what’s called legal standing, he said, meaning they would have to have suffered a specific, concrete injury caused by something traceable to the hacking incident for the lawsuit to move forward. Six of the complaints, however, are nearly devoid of specific examples of harm plaintiffs suffered as a result of the data breach, apart from one report of increased medical spam calls in its wake. Riffey’s complaint reported fraudulent bank charges and attempts to open accounts in her name but did not offer evidence that those actions resulted from the Hopkins hack.
There are many allegations of “lost time” spent dealing with the fallout of stolen data by monitoring accounts and worrying about future events, such as identity theft. Those are too vague to confer legal standing, said Yelin, and not traceable to a particular harm. People worry about a lot of future events that never transpire, he said, but that doesn’t mean they should be compensated for it — doing so would open the door to “a lot of spurious lawsuits,” based on fears of things that may not materialize.
The legal storm casting Hopkins as a villain in the breach also stands in contrast to the way another large regional health system was viewed when it fell prey to a hack.
In 2016, a ransomware attack paralyzed MedStar Health’s entire online system for days. People were turned away, cancer patients were forced to delay treatment and patient safety was compromised when providers, forced to do paper charting, were unable to access critical information housed in the electronic medical records.
Yet no one sued, despite hackers reportedly gaining access to the system by way of a software vulnerability known to MedStar that it had neglected to address. Still, the health system was largely viewed as the unfortunate victim of cybercriminals.
“I think it’s unjust to blame the victims of these attacks,” Yelin said, “without any proof that they were negligent in how they handled the data. I just don’t think it gets us anywhere to pass blame on Hopkins as an institution.”
The best companies can do to avoid future data breaches, Forno said, is to monitor the integrity of the software they’re running and “try to be as quickly responsive as they can if they suspect something is fishy.” Still, if “bad guys” find a vulnerability they can exploit, “there’s not a lot you can do” until they’ve already hacked into the program, he said.
“Cybersecurity by its very nature is defensive, and there is really no way to guarantee total security,” Forno said. Instead, “we try to make it harder for bad things to be wildly successful.”
Dylan Segelbaum and Justin Fenton contributed reporting.