By now, nearly everyone in the U.S. has received the dreaded letter informing us that our personal data was breached—whether through our credit cards, a medical provider’s office, a retailer, an insurance company, or someplace else. Unfortunately, this is neither rare nor unexpected.
A cybersecurity breach (also called a data breach) occurs when sensitive, confidential, or protected information is accessed or disclosed without authorization. This can expose data such as credit card numbers and other financial information, social security information, corporate financial records, health information, and more.
Data breaches are typically caused by malicious attacks, but they can also be from human error or system vulnerabilities.
How can a cyberattack cause physical damage or injury?
Once upon a time, a cybersecurity breach would mean a lot of hassle—and probably cost. You might have to monitor your credit reports, you could have to deal with ID theft and changing important documents and government records like social security, and other things.
While a loss of sensitive data or disruption in services would be a problem in the past, the stakes are higher today. Hackers can interfere with connected devices in ways that cause injury or even death.
Here are some examples of how a cybersecurity breach can cause physical injury:
Medical device hacks
There are a variety of implantable or wearable medical devices like insulin pumps, pacemakers, and neurostimulators that rely on wireless connectivity for monitoring and updates. Weak encryption or outdated firmware can allow a hacker to send malicious signals that alter dosages, shut down the device, or drain the battery.
This can cause physical injury if, for example, a hacked insulin pump overdoses a patient and causes hypoglycemia. Also, pacemaker tampering could induce arrhythmia or shut off the pacemaker entirely. In fact, the FDA recalled some pacemakers in 2017 because of a vulnerability that would allow attackers to reprogram them remotely. How does it happen?
There are a couple of ways:
- Unencrypted wireless protocols. Many pacemakers, insulin pumps, or neurostimulators use RF or Bluetooth without strong encryption. An attacker can “sniff” the wireless traffic, then replay or inject malicious commands.
- Default or hardcoded credentials. Some devices ship with admin passwords that are never changed, which allows direct remote access.
- Firmware exploitation. Hackers reverse-engineer the firmware to find vulnerabilities (e.g., buffer overflows) and then craft payloads to alter dosage levels or disable the device.
Connected vehicle breaches
Modern vehicles are essentially computers on wheels—internet-enabled infotainment systems, GPS, and autonomous driving features are key components of your car these days. A hacker can exploit a vulnerability in wifi, Bluetooth, or even tire-pressure monitoring systems to access a car’s Controller Area Network bus (“CAN bus”). The CAN bus controls acceleration, brakes and steering. In simpler terms, once inside the car’s network through a weak point like infotainment wifi or a cellular modem, attackers inject malicious CAN messages that mimic legitimate signals, like “brake” or “accelerate.” These vulnerabilities in the car’s entertainment software through USB, Bluetooth, or cellular give the attackers an “in” to the core driving systems.
This means a remote hacker could disable brakes, which would likely cause a collision. In 2015, researchers hacked a Jeep Cherokee by remotely killing the engine on a highway; this prompted a recall of more than a million vehicles. And while that’s long resolved, it could happen again, and the next time might be nefarious actors and not researchers.
Critical infrastructure and smart buildings
Smart thermostats, elevators, and HVAC systems are increasingly connected to the cloud in new or newly renovated buildings. A hacker could exploit this system to create unsafe building conditions. For instance, an elevator could be disabled remotely during an emergency; you might have someone tamper with an HVAC system for a nursing home, leading to unsafe overheating or cold conditions for residents. There are also instances where an attacker has cut off a security alarm, which allows more opportunity for physical harm during a break-in.
This can happen because many HVAC and building control systems run on outdated protocols like BACnet. BACnet allows various devices and systems from different manufacturers to communicate and work together for interoperability, creating an integrated building automation system. While BACnet is still relevant and widely used, some older systems have cybersecurity risks.
Remote access vulnerabilities exist, and if a property manager’s remote login isn’t protected with multi-factor authentication, an attacker can brute-force entry.
Finally, attackers know how to weasel their way in, so to speak. A hacker might compromise a small device like a smart thermostat or security camera to gain a foothold in the building, and then they can move laterally into more critical systems.
Hospitals and healthcare networks
Ransomware attacks can paralyze a hospital’s IT system. A hacker could block access to electronic health records or diagnostic equipment, which could result in life-threatening delays of medical treatment. In 2020, a ransomware attack overseas forced a hospital to reroute an emergency patient, who later died. This was considered to be the first fatality directly tied to a cyberattack.
How do ransomware attacks happen? Hackers send phishing emails to hospital staff, gain access to the internal network, then encrypt critical files, including patient records and medical imaging. Once inside, the hacker can exploit unpatched Windows devices to spread across the network and eventually hit surgical equipment interfaces or radiology software. By intercepting communication between diagnostic equipment and hospital servers, a hacker could alter medical records or delay test results.
Consumer smart products
Internet of Things (IoT) devices like baby monitors, door locks, and home security systems are frequent hacking targets, in part because they often have poor password security.
These can cause harm in a variety of ways. A hacked baby monitor could allow a stranger to watch or speak to a child; compromised smart locks could allow intruders into homes (or be used to trap or endanger residents); hijacked drones could crash into people, cars, or houses; and a variety of other issues.
These devices—the ones in your home—often allow weak or default passwords. In addition, many of these devices are managed through apps. If the hacker can compromise the app account, they can control the device. As well, old firmware rarely gets updates, and that can leave flaws open to exploitation.
Cybersecurity and personal injury law
Cybersecurity and personal injury law intersect in more ways than you might expect. There are four primary legal theories and parties that could be held responsible if a cyberattack causes physical injury.
1. Product liability for manufacturers
The manufacturer of a hacked device that caused an injury could be liable to the victim. They could file a claim under one (or more) of the causes of action for a product liability lawsuit:
- Design defect, if the product lacked adequate security by design (for example, it was not encrypted, or it was designed to use default passwords only)
- Manufacturing defect, if a particular device was made and shipped with a vulnerability
- Failure to warn, if the company didn’t disclose known risks or failed to issue timely security patches
2. Negligence of healthcare providers or employers
A healthcare provider (like a hospital) that uses connected technology has a duty of care to its patients. It could be held liable if it:
- Failed to implement security patches
- Used outdated equipment and ignored warnings
- Failed to restrict access to critical systems
3. Premises liability cybersecurity lawsuits
Premises liability is the area of law that handles injuries from hazardous property conditions. This would cover a cyberattack in smart building systems, like HVAC, elevators, security locks, etc.
An injured tenant or visitor could make a claim that the property owner:
- Knew or should’ve known the systems were insecure
- Failed to maintain reasonable protections like firewalls, multi-factor authentication, or vendor security compliance
4. Transportation and vehicle liability for cyberattacks
If a car, truck, bus, or other vehicle is hacked, the victim might file a lawsuit against:
- The automaker for product liability
- The fleet or employer (for example, the trucking company) could be liable if they failed to update firmware or used vehicles with known vulnerabilities.
For example, if a hacked autonomous truck crashes, the victim might sue both the manufacturer (for defective design) and the trucking company (for negligent maintenance).
Additional legal issues in cybersecurity lawsuits
Shared liability and complex causation
A cyber-related injury case could involve multiple defendants. These could include:
- The manufacturer of a defective product;
- The operator or employer for failure to patch or monitor; or
- A third-party vendor, if their software update introduced this vulnerability
This could raise issues related to comparative negligence and apportioning damages among parties.
Why don’t we just sue the hacker for a cybersecurity attack?
Because we can’t sue someone if we don’t know who they are—and this is a common scenario.
Hackers typically conceal their identities in a variety of technological ways. Even if an attack is traced, it’s often linked to a computer in another country or a compromised system that an innocent third party was using. Without knowing the individual responsible, you can’t name them as a defendant in a lawsuit.
Sometimes, a hacker is pursued criminally by the FBI, DOJ, or Interpol. That might provide a victim some restitution in criminal court, but it’s not going to provide financial damages like a personal injury lawsuit would.
Typically, a personal injury lawyer will focus on companies, hospitals, or manufacturers because they have a legal duty to protect users’ data and safety, and they have deep pockets to pay a settlement or judgment. They will have insurance coverage and assets to cover damages.
Cyberattacks that cause physical injury are no longer science fiction. Courts are starting to treat cybersecurity failures as a form of foreseeable negligence. For plaintiffs, these cases might open new pathways to compensation under product liability, malpractice, negligence, and premises liability law.
Tell your story:
#Cyberattacks #Personal #Injury #Liability #Lawsuits