A "HIPPA Extortion" case hit the news

Following my recent article where I tried to explain the concept of "GDPR Extortion", a data breach of a Health IT provider hit the news early this week, and the case of "HIPPA Extortion" became a sad reality.

For those of you who are not familiar with HIPAA (Health Insurance Portability and Accountability Act of 1996), is a United States legislation that provides data privacy and security provisions for safeguarding medical information, and in this case it applies to the Health IT provider that was breached.

The Nashville-based company (Medhost) is being asked by the cyber-criminals to pay 2 Bitcoins (BTC) which at the moment is approximately $35K (USD), otherwise they will sell the data they managed to steal. What is however very interesting in this story, is that they try to make their case by saying that they will do:

" ..a media release regarding the lack of security in a HIPPA environment. "

The screenshot is from Google's cache*, as the website of the breach company appeared on 19/Dec 2017 at 20:02 GMT. 

Will "GDPR Extortion" become the new "trend" in cybercrime?

Even though this is not an "official" term that is being used (well, at least not yet), it does describe the concern I am trying to explain to people at different occasions. I often discuss GDPR from the security perspective, and the conversations most of the time end up focusing at the implications of the regulation and the "next day". 

This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity. 

By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat.