“Data privacy laws may differ across the country and across industry, but as far as liability is concerned, there is a consensus: your organization is responsible for private data it holds and is liable for any breach of that data’s security, regardless of whether it was the result of failure by third party vendor or outsourced party.” 

Cloud Vendor Breach Harms Philanthropists

Stelios Valavanis, CEO of onShore Security

This week, NorthShore University HealthSystem and Northwestern Memorial HealthCare disclosed that their data management vendor had been subject to a ransomware attack earlier this year, and had paid the criminal’s demand, assured that the copied data in their possession was destroyed and that no further misuse of the data could take place. As is often the case, the attack actually took place “in the cloud”, on the servers of a third party contractor. In this case, it was the widely used data management software, Blackbaud. It is NorthShore, however, that is required to notify the tens of thousands affected, including 56,000 donors to the organization. While it is unlikely NorthShore will be faulted by many for trusting an established entity like Blackbaud with their donors and patients’ data, they are still ultimately, and legally, responsible for the safekeeping of that data. Even when outsourcing to third parties, the organization remains custodian of data and is responsible for restricting use to prescribed and legal use. This is one of several things we should take away from this case.

Data privacy laws may differ across the country and across industry, but as far as liability is concerned, there is a consensus: your organization is responsible for private data it holds and is liable for any breach of that data’s security, regardless of whether it was the result of failure by third party vendor or outsourced party. This must always be considered when engaging with third party vendors or anything in the “cloud”. Remember, the “cloud” is just somebody else’s computer. While some operate under the false assumption that data is secure by mere virtue of being stored in the cloud, it is actually the case that this solution is an additional attack vector.

As the criminal organizations using ransomware in their attacks have matured, they have fine-tuned their targets. When the general public first became aware of ransomware-style attacks, the targets were often individuals, faced with ransom demands ranging from hundreds to thousands of dollars. Attackers then began to set their sights on larger organizations and institutions, such as hospitals or universities, or municipalities, such as Atlanta, became the target, with ransom demands exponentially higher. At that point, the criminals’ intent was largely to disable their target and hold their operational capability hostage. As their targets now include organizations or institutions that use sensitive data in their operations, the gangs trade on the value of this data. Ransomware attacks must now be seen as both an attack on operations, as well as a data breach.

Influenced by new privacy regulation, like GDPR and CCPA, laws everywhere are changing in reference to breach disclosure. Organizations often desire to disclose only what they are required to, and when, which can mean breaches are underreported. Many new disclosure laws, however, are now requiring a notification to customers if data may have been at risk, even if it is not proven forensically, putting organizations in a position where they must protect their data or risk not only legal and financial liability, but also reputation cost in their industry and market.

While medical patient data is always of high value, the novelty of this attack comes in the theft of the hospital’s extensive donor list. These philanthropists are not only targets as private citizens, but can then become targets at the other organizations and businesses they are involved in. 

This instance of ransomware will certainly not be the last of its kind, but it should be notable that in this case, donors are a new class of data theft target. The things discussed as part of this story are likely nothing new to those already deep in cybersecurity, or those dealing with cybersecurity vendors, but anyone trusting another party with their personal information should know the current status of privacy regulation and where responsibility rests.