{ Banner Image }
November 12, 2020

Health Care Providers Face Growing Ransomware Risks, and Potential Sanctions for Paying Ransom

Ransomware AttackAs if COVID-19 wasn’t enough of a challenge for many struggling hospitals and health care systems, there is another growing threat they must guard against: cyberattacks.

On October 28, 2020, the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency issued a report warning of "an increased and imminent cybercrime threat" to U.S. hospitals and health care providers.

The agencies point to credible threats that cyber criminals are targeting the health sector with Trickbot malware, which in addition to data theft, can result in ransomware attacks. The report was released one day after three hospitals within the New York-based St. Lawrence Health System were hit with ransomware attacks. Other healthcare providers, including the University of Vermont Medical Center and United Health Services, have also recently been attacked.

Government agencies are encouraging “healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” including ransomware.

Ransomware is a form of malware, often delivered through malicious email attachments, that encrypts a victim's files. Once an attacker gains control, it demands a ransom from the victim to restore access to the data upon payment.

While the risks to health care providers of suffering a crippling ransomware attack are high, so are the risks of paying a ransom to restore systems. In short, a ransomware attack puts health care providers between a rock and a hard place.

The risks of paying ransom in response to a cyberattack were highlighted by the U.S. Department of the Treasury (“Treasury Department”) in an advisory issued on October 1, 2020. The advisory was issued for the purpose of identifying “sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The Treasury Department’s concerns about ransomware payments are twofold: (1) they may encourage future attacks, and (2) they may violate regulations of the Treasury Department’s Office of Foreign Assets Control (“OFAC”).

The advisory highlights the OFAC’s designation of numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, and the fact that the OFAC “has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Information on OFAC's Sanctions Program and Country Information can be found here. If a health care provider, or other U.S. person or entity, pays a prohibited ransom, such payment can give rise to U.S. sanctions violations.

Violations can lead to civil and criminal penalties of the greater of over $300,000 per violation (depending on the sanctions program) or twice ​​​​​the amount of the transaction that is the basis of the civil violation, or up to $1,000,000 and/or 20 years in prison for criminal violations.

OFAC recommends that companies and entities who may be targeted by cyber criminals, or who may be directly or indirectly involved in responding to these attacks (such as cyber insurers and financial services companies) implement risk-based compliance programs to mitigate exposure to sanctions-related violations and enforcement actions. 

In particular, according to the advisory, a sanctions compliance program should account for the risk that a ransomware payment may involve a person or entity on OFAC’s Specially Designated Nationals and Blocked Persons List, or a comprehensively embargoed jurisdiction. For example under federal law, U.S. persons are generally prohibited from engaging in transactions, such as ransomware payments, with individuals or entities on OFAC's Specially Designated Nationals and Blocked Persons List.

The OFAC also recommends, under its enforcement guidelines, that a company that falls victim to a cyberattack submit a self-initiated, timely, and complete report of a ransomware attack to law enforcement. Doing so will “be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

When it comes to cyberattacks on health care providers, it’s increasingly not if an attack will occur, but when. Threats are growing and hospitals and health care systems need to take steps to protect their systems. If an attack does occur, it’s important to understand the risks of a response, such as a ransom payment that could potentially give rise to sanctions.

Foster Swift’s health care and cybersecurity lawyers are here to help you implement protections and policies against cyberattack, coordinate responses, and provide counsel on risks. For questions or assistance relating to this article, please contact:

If you believe your organization has fallen victim to a cyberattack or other emergency, contact our Cybersecurity Hotline at 517-FS1-TASK (517-371-8275) to speak with a Foster Swift cybersecurity attorney.

Categories: Cybersecurity, Electronic Health Records, Hospice, Hospitals

Contact Author(s)
Click to Share Share  |  Twitter Facebook

Type the following characters: whisky, romeo, whisky, tango

* Indicates a required field.