Nearly one in five (18%) ransomware incidents in the US led to a lawsuit in 2023, with 123 filed so far, according to new figures from Comparitech.
The number for lawsuits for 2023 is likely to increase, with many data breach notifications still being issued for incidents last year.
The analysis showed a growth in the number of lawsuits filed following ransomware attacks in the period from 2018-2023.
Across just over 3000 confirmed ransomware incidents over the five years, 355 lawsuits were filed, a rate of 12%.
Of the 228 cases that have been completed, 59% were successful, achieving one or more of the following outcomes:
- A data breach settlement
- The company being fined for failing to safeguard systems and/or data
- Settled out of court/via mediation
In addition, 57 completed lawsuits resulted in voluntary dismissals by the plaintiffs (25%). Comparitech said this could suggest out-of-court settlements were reached in these cases.
A further 25 (11%) were dismissed by the courts.
There has been a substantial increase in the proportion of completed cases dismissed voluntarily by the plaintiffs in the period covered, from 5% in 2022 to 77% in 2023.
Data Breaches the Primary Reason for Ransomware Lawsuits
The main reason for ransomware lawsuits being filed is data breaches. Comparitech found that 283.3 million individual records are known to have been impacted in the 355 attacks where lawsuits have been filed, making up 80% of records impacted across all ransomware attacks since 2018.
Of the top 50 ransomware attacks since 2018 based on records breached, 48 have seen lawsuits filed. The only two that haven’t had lawsuits filed are the June 2021 attack against the University Medical Center of Southern Nevada and the attack on VF Corporation in December 2023, the latter of which is currently under investigation by several law firms.
Healthcare (111 lawsuits filed) and finance (54 lawsuits filed) were the sectors with the highest number of filed lawsuits. This correlates with these being the two sectors having among the largest volumes of breached records resulting from ransomware attacks (healthcare 51 million records, finance 41 million records).
While the technology industry had the most records impacted (130.7 million), the majority of these stem from supply chain incidents such as MOVEit, Blackbaud and Fortra, which impacted multiple companies in a single vulnerability exploitation.
Three lawsuits were issued against Colonial Pipeline following the attack that took the largest fuel pipeline in the US offline in 2021, under a number of claims. These included negligence, improper safeguards, breach of public duty and violations of consumer protection statutes. However, all three of these lawsuits were dismissed.
Financial Costs from Lawsuits
Of the 112 cases in which out-of-court settlement figures were provided, over $245m was paid out by organizations, an average settlement figure of $2.2m.
The maximum average payout to individual plaintiffs was $5000.
The top five known settlement payments were the following cases:
- Horizon Actuarial Services, LLC - $8.7m
- Accellion - $8.1m
- Orick, Herrington & Sutcliffe - $8m
- Scripps Health - $6.7m
- Planned Parenthood LA - $6m
In addition, organizations have been handed nearly $10m in regulatory fines for failings before, during or after ransomware attacks. This includes the US Securities and Exchange Commission (SEC) fining BlackBaud $3m for making misleading disclosures about its 2020 attack.