Million-Dollar Hospital Cyberattack Sparks BOA Lawsuit

After a 2013 cyberattack cost it $1.03 million, a public hospital in Washington state is now suing Bank of America to recover some of its losses.

The formal complaint, posted on KrebsOnSecurity, states that hackers first initiated two unauthorized payroll requests from the account of Chelan County Public Hospital, totaling nearly $400,000 on April 18, 2013. The next day, the hackers reportedly aimed higher, requesting $603,575. Bank of America is said to have processed all three requests, putting approximately $1 million in the hands of the cybercriminals.

According to the lawsuit, Bank of America recovered about $400,000 of what was taken by the hackers.

However, the latter transaction raised some flags on April 22, when a Chelan employee reportedly became aware of the suspicious activity in their accounts. Chelan’s lawsuit states that a Bank of America employee responded, contacting the Chelan County Treasurer’s Office to ask if the $603,575 transfer request was authorized. The lawsuit claims that the Chelan County Treasurer’s Office employee stated it was not authorized, yet it was still processed.

In a response from Bank of America, posted on KrebsOnSecurity, BoA admits processing the payments, as well as being contacted by Chelan County on April 22, but it denies nearly all of the remaining allegations.

In the lawsuit, Chelan County is alleging breach of contract, accusing Bank of America of failing to adhere to rules put in place by the National Automated Clearinghouse Association (NACHA) related to risk management and activity monitoring.

The bank attests that, in its dealing with Chelan County, it acted entirely within the parameters of the Uniform Commercial Code (UCC).

KrebsOnSecurity, in a March 3 article, noted that businesses like the Chelan hospital do not enjoy the same protections that consumers do when it comes to online banking. Consumers are protected by Regulation E, which limits the liability of individuals who suffer a financial loss due to unauthorized transactions, but businesses are not. Their only option in many cases is to sue their bank, and that’s exactly what Chelan County is doing.