When a massive hacker attack hit a unit of UnitedHealth Group last month, snarling the work of thousands of companies, hospitals and doctors, Blank Rome cybersecurity partner Sharon Klein swung into action advising her clients.
“That was devastating to hospitals,” she said. “They couldn’t get paid, and people couldn’t get their prescriptions filled.”
It was the latest breach that Klein—the co-chair of Blank Rome’s Privacy, Security & Data Protection practice—has faced over the course of more than 35 years of advising clients on data privacy, cybersecurity and other complex technology transactions.
“I was in the middle of that, counseling clients, trying to do damage control,” Klein told the Business Journal on March 7.
She receives FBI alerts and is on various professional cyber information channels “so that I can then communicate with my clients pro-actively.”
“So that’s what I did.”
She said she’s pretty sure that UnitedHealth eventually paid a ransom. In fact, the Reuters news agency quoted a hacker forum popular with cybercriminals claiming UnitedHealth Group paid $22 million in a bid to recover access to data and systems encrypted by the “Blackcat” ransomware gang.
Ransomware is a cyberattack where hackers steal data or hold it hostage until a ransom is paid by the victim organization.
Healthcare industry security is of specific interest to Klein, who is a member of a U.S. Department of Health and Human Services task force which “is addressing aligning healthcare industry security approaches to responding to cybersecurity threats under the Cybersecurity Information Sharing Act of 2015,” her bio notes.
Protecting Data
Blank Rome has eight lawyers in its Orange County office.
Klein doesn’t make any decisions on paying a ransom to get data back, but she is active in advising victims of ransomware and breaches.
“I give them the pros and the cons of that,” according to Klein. “I communicate that to my clients.”
A key consideration is making sure the data will be returned, and being sure it won’t end up on the “dark web” available to more criminals.
She estimates the average ransom paid is $200,000 to $500,000, while the global totals are in the billions of dollars.
Much of the ransom payment is usually covered by insurance.
“The insurance carriers really are footing the bill in a large sense,” Klein said.
“It escalates the cost of cyber-insurance for everyone right now.”
She said most of her cases are not dramatic ransomware cases, but rather innocent slip-ups that could have been easily avoided, including misdirected wire transfers, sometimes reaching a million dollars or more.
Some companies pay ransom to preserve their reputations, helping keep “peace of mind.”
BlackBaud Settlement
Klein was a leader of the Blank Rome team that represented the fundraising software company Blackbaud Inc. after a 2020 data breach at the company exposed sensitive information from 13,000 nonprofits.
Blackbaud (Nasdaq: BLKB) agreed in October to pay $49.5 million to settle claims brought by the attorneys general of 49 states and Washington, D.C., though California did not join in the settlement.
Blank Rome counts 15 offices and 700 attorneys and principals. Its Irvine office is at the Jamboree Center office complex.
Trouble Ahead
Just when businesses are starting to come to grips with the omnipresent cyber threats, Klein warns of even more trouble ahead.
“We should be looking for much more sophisticated breaches using artificial intelligence,” she said.
Klein points out that hackers are extremely thorough in their legwork to be sure that their schemes ring true to victims.
“All of that groundwork now is done by AI so it goes a lot faster,” she said. “The bad guys are so smart, it’s hard to keep up sometimes.
“You can avoid a lot of the ransomware caused by phishing by being proactive in using multi-factor authentication,” she said.
“The breaches that we see are really caused by people not paying attention.”
Sometimes just plain being nice can be an organization’s downfall.
“Some people are taking advantage of them being nice in sharing too much private information. And that is a breach.”
Klein’s practice also includes:
• Compliance/insurance recovery
• Regulatory enforcement
• Incident response
• Data as a business asset
• Planning, drafting, and implementing privacy, security, and data protection policies and best practices
