3 min read

To pay or to not pay for stolen data

Picture of Kapua Iao Kapua Iao December 2, 2020

Healthcare cybersecurity news
Padlock with skull symbol on a keyboard wrapped in chain, representing cybersecurity threat
ransomware locking a computer Here’s a direct question: Should you pay a ransom to get stolen data back? To pay or to not pay for stolen data is a conflict many organizations face. Within the Paubox blog, we have talked at length about ransomware but have yet to explore this question specifically. But this query is pertinent today, especially for healthcare covered entities (CEs) working with sensitive protected health information (PHI). The healthcare industry remains one of the most heavily targeted industries for cybercrime. And many hackers believe most CEs will pay to retrieve stolen PHI and/or to get back into their systems. Especially during a health crisis. RELATED: Coronavirus Cyberattacks: How to Protect Yourself Let’s explore the issue of paying for stolen data after a ransomware attack and how CEs should focus on prevention and protection first.

What is ransomware?

Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid. Victims typically download malware through phishing emails that can include malicious attachments or fraudulent links. Once a victim opens or clicks on the malware, hackers have access to a system. For ransomware, a hacker typically encrypts data and then demands a ransom. Over the past year, however, there has been a growth in exfiltration (where a hacker steals data before encryption). RELATED: Maze Ransomware Group Publicly Releases Stolen Data A breach is frustrating but the costs (and problems) that develop from a ransomware attack can be detrimental. Such damages include unrecoverable data, upset patients, shut down services (including during emergencies), damaged reputation, fees related to closures or cybersecurity changes, possible investigation by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights, possible HIPAA violations, and of course, the ransom payment. RELATED: HIPAA Stands For . . . And exfiltration adds even more complications with the possibility of publicly exposed PHI. Accordingly, ransomware is the biggest threat to email security today. RELATED: INTERPOL Warns of Increased Ransomware Attacks on Hospitals The costs of both refusing to pay and paying a ransom can be high depending on the type of ransomware, the threat actor, and the CE itself.

 

To pay or to not pay after a ransomware attack

There may be benefits to paying a ransom, but unfortunately, the benefits are not always guaranteed.

 

Possible Benefits Possible Problems
Decryption key provided Time-consuming negotiations
Data deleted by hackers Released data (before or after ransom paid)
Shorter data recovery time Fake decryption key provided
  Traded, sold, or held data
  Demand for more money
  Word spread about willingness to pay

 

In 2019, Hackensack Meridian Health paid a ransom for access to its stolen PHI. Shortly thereafter, a spokesperson stated, “We believe it’s our obligation to protect our communities’ access to health care.” And this year, Champaign-Urbana Public Health District was forced to pay $350,000 for access into its system. The district met the demands because it wanted a shorter recovery time. Furthermore, its cyber insurance could cover most of the ransom. RELATED: The Influence of Ransomware on Insurance In both cases, no issues seemed to arise after payment, but this isn’t always the case. For example, Kansas Heart Hospital was hit in 2016, paid a ransom, and then was ordered to pay more. And recent research suggests victims often see exfiltrated data published if kept or sold by the cyberattackers:

  • Sodinokibi: re-extorted weeks later
  • Maze/Sekhmet/Egregor: posted accidentally or willfully before a theft was known
  • Netwalker: posted after organizations paid
  • Mespinoza: posted after organizations paid
  • Conti: used fake files to show proof of deletion

 

RELATED: Hackers Release Healthcare Data in Double Extortion Attacks In other words, paying a ransom does not always guarantee security.

 

So should I pay to get stolen data back?

A recent joint alert—between HHS, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency—does not recommend paying ransoms:
Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
But such statements, while emphatic, are not always helpful on their own. Each CE should also contemplate five questions when considering to pay or to not pay:
  1. Can you legally pay?
  2. Does paying solve the immediate problem?
  3. Does paying solve the longer-term problem (for you)?
  4. Does paying solve the longer-term problem (for everyone)?
  5. Is paying "cheaper" than the alternative?
Paying the ransom may solve immediate problems and may be a cheaper alternative. But in the long term, security is not guaranteed. This is why paying a ransom is not a long-term solution.

 

Avoid data-stealing with strong cybersecurity

In the early days, ransomware victims could ignore a breach if they had adequate backup. But new technologies, new ways for people to connect, and new ways for hackers to attack, means more attention must be placed on prevention and protection. RELATED: Email Archiving and HIPAA Compliance For a CE, this means utilizing HIPAA compliant email to meet HIPAA standards of email security. The HIPAA Privacy Rule establishes how PHI can be disclosed while the Security Rule describes guidelines for protecting ePHI (electronic PHI). RELATED: FACT SHEET: Ransomware and HIPAA Under HIPAA, a CE’s cybersecurity program should guard, detect, and help record malware. It should also manage data backup and recovery. This means using solid email security such as Paubox Email Suite Plus which provides robust inbound security tools that stop threats before reaching a user’s inbox. To pay or not to pay is a tough question, one that no CE wants to face. This is why CEs must focus on prevention strategies before ransomware wreaks havoc.
 
Try Paubox Email Suite Plus for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
email icon in chain and lock

Clop extortion emails target Oracle E-Business Suite users

Picture of Farah Amod Farah Amod : October 16, 2025

A new wave of extortion emails is hitting executives, claiming stolen data from Oracle E-Business Suite systems.

Email security Healthcare cybersecurity news
Read More
powerschool logo

PowerSchool breach exposes millions of student records despite ransom payment

Picture of Tshedimoso Makhene Tshedimoso Makhene : May 15, 2025

PowerSchool, a major education tech provider, paid hackers to prevent the release of stolen student data, but school districts are still facing...

Healthcare cybersecurity news
Read More
Cybersecurity threat icons including exclamation point, virus, spyware, and lock symbols on digital background

Rhysida ransomware attack hits Port of Seattle, affecting 90K

Picture of Farah Amod Farah Amod : April 11, 2025

The Port of Seattle is warning 90,000 people their personal data was stolen in an August ransomware attack linked to the Rhysida cybercrime gang.

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.