Hospital Sues Bank of America Over Cyberheist
A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.
"In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1 , one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators," reported Krebs on Security.
"On April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital," said Krebs on Security.
"Bank of America was ultimately able to get back roughly $400,000 of the fraudulent payroll payments. But in a complaint filed against the bank," said Krebs on Security, the hospital alleges that an employee on the Chelan County Treasurer’s staff noticed something amiss the following week and alerted the bank to the suspicious activity. However, Bank of America still processed an unauthorized transfer request and transferred the funds as directed by the hackers.
"Chelan County alleges breach of contract, noting that the agreement between the county and the bank incorporates rules of the National Automated Clearinghouse Association (NACHA), and that those rules require financial institutions to implement a risk management program for all ACH activities; to assess the nature of Chelan County’s ACH activity; to implement an exposure limit for Chelan County; to monitor Chelan County’s ACH activity across multiple settlement dates; and to enforce that exposure limit. The lawsuit alleges that Bank of America failed on all of those counts, and that it ran afoul of a Washington state law governing authorized and verified payment orders," said Krebs on Security.
In a response filed with the U.S. District Court for the Eastern District of Washington at Spokane, Bank of America denied nearly all of the allegations in the lawsuit.