Ransomware-Related Class Action Lawsuits Against U.S. Higher Education

THE AUTHOR

Steve Linthicum
August 12, 2022

Ransomware-Related Class Action Lawsuits Against U.S. Higher Education

When tallying damages associated with a ransomware attack, the initial focus centers on calculating costs relating to the six steps detailed in the NIST Computer Security Incident Handling Guide that cover the initial detection and move on to the postmortem stage as quickly as possible. Those costs are perhaps the easiest to calculate, given that they are typically limited in terms of duration, with an obvious effort to gain control, stabilize operations, and return to business-as-usual.

The unfortunate reality is that damage totals will generally exceed these initial expenses, especially for entities like colleges and universities, where there are critical times when the resulting attack is much more than a mere inconvenience. Table 1 identifies the most recent ransomware attacks and the date of their reported event.

DateAcademic InstitutionApproximate Student EnrollmentNSA/DHS Center of Academic Excellence
07/04/2022College of the Desert12,500 
06/10/2022Napa Valley College5,000 
05/16/2022Mercyhurst University3,000 
05/02/2022Kellogg Community College6,900 
04/27/2022Austin Peay State University9,500 
04/11/2022Florida International University48,500Yes
03/11/2022North Carolina A & T University11,000Yes
02/14/2022Centralia Community College3,000 
01/20/2022Ohlone College9,000Yes
12/19/2021Lincoln College600 
12/05/2021Pellissippi State Community College10,500 
11/25/2021Lewis and Clark Community College9,000 
11/24/2021Butler County Community College12,500Yes
10/02/2021Washington Adventist University800 
05/19/2021Sierra College18,000Yes
Table 1. Recent ransomware attacks on U.S. colleges and universities.

This table represents a list of colleges and universities that have been hit by ransomware attacks. The task of compiling this list was made easier as a result of a “Publicly disclosed U.S. ransomware attacks database” maintained on the TechTarget website.

An approximate number of students for each institution is provided. Additionally, five of the institutions that have obtained the NSA/DHS designation as a Center of Academic Excellence are identified. With a third of the institutions listed holding this designation, it’s reasonable to expect that these institutions met specific requirements associated with obtaining this designation. This may indicate that some ransomware actors specifically target entities advertising this designation.

Lincoln College, a predominantly Black college listed in this table, closed its doors in May 2022, ending 157 years of operations as a consequence of the ransomware attack coupled with Covid-19-related issues. As noted in an article detailing the situation, the ransomware “seized up its networks and data” just as it came time to process applications and figure out enrollment for the next academic year. By the time those systems were fully restored, it was too late.

While there is no good time to face a ransomware attack, many of the attacks occurred near the end of a semester, when final exams are scheduled and final grades are due. During this time, students are also completing registration for the following semester and completing financial aid applications. What is important to recognize is this potential interruption in services can have lasting consequences for faculty, staff, and students, with the number of people affected (at least as large as the student enrollment shown above).

This information provides a fair opportunity to ask if situations justify the utilization of a class action lawsuit as a forum for recovery of damages alleged to have suffered. Available hints are provided by viewing the articles referenced above for Napa Valley College and Pellissippi State Community College. Both articles appear on law office websites. The Napa Valley article states:

Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you should seek compensation under the CCPA or CMIA.  There are no out-of-pocket costs to you, as we only get paid if we prevail.”

The Pellissippi article states:

“If evidence emerges that Pellissippi State Community College failed to meet its consumer privacy and data security obligations, the institution may be liable through a data breach class action lawsuit.”

As to whether any of these colleges and universities will face the prospect of being a class action defendant is unknown at this time. What is known is this role has occurred in educational institutions, particularly where medical records are involved. The list below was compiled by searching the database available on the ClassAction.Org website and including the keyword “university”.

Case Name and Filing InformationDescription
Menezes v. The Regents of the University of California FILED: 09/20/2021◆§ 3:21-CV-01641A class action has been filed over an alleged UC San Diego Health data breach in which hackers reportedly gained unauthorized access to employees’ email accounts.
Dinerstein v. Google, LLC et al. FILED: 06/26/2019◆§ 1:19-CV-04311Google and the University of Chicago are embroiled in a potential class action lawsuit over the search giant's collection of a trove of patient medical information from the school's medical center.
Ware et al. v. West Virginia University Medical Corporation FILED: 07/11/2022◆§ 1:22-CV-00054A lawsuit claims that West Virginia University Medical Corp. failed to properly pay employees in the wake of a data breach that compromised its payroll system.
Pallotta et al. v. University of Massachusetts Memorial Medical Center et al. FILED: 03/09/2022◆§ 4:22-CV-10361A lawsuit claims the UMass Memorial Medical Center has failed to pay employees timely and accurate wages after a data breach crippled its payroll vendor.
Martinez v. University of Connecticut et al FILED: 03/18/2019◆§ 3:19CV416The University of Connecticut and its teaching hospital face a class action after a data breach exposed the personal information of more than 326,000 patients.

There are several reasons initiating a class action lawsuit makes sense. As noted above in the table, the average enrollment for the 15 academic institutions is approximately 16,000 students. The floor for ransomware claims is often measured by the cost of providing credit monitoring services for a few years.

A single consumer’s out-of-pocket expense for such service would be approximately $20 to $25 per month. As noted in an article that discusses both the advantages and disadvantages of class action litigation, “the lower litigation costs will allow plaintiffs to seek relief who would not have found it financially prudent to do so in a traditional lawsuit.” With 16,000 students able to participate in a single lawsuit and not actually pay the cost of litigation, recovery of even a relatively minimal individual amount makes sense.

One possible way to avoid a class action filing may be to follow Lewis and Clark Community College’s approach by offering students credit monitoring service shortly after a ransomware attack is announced. Not only is this a reflection of the college’s concern and desire to protect those impacted by the attack, but it’s also a way to potentially reduce the possibility of a class action lawsuit being filed by lowering the number of possible claimants.

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap