Hospital sues major U.S. bank to recoup losses from cyberheist

Bank of America denies allegations that it ignored a warning about fraudulent transfers

A public hospital in Washington has filed a lawsuit against Bank of America seeking to recoup some of the losses incurred from a $1.03 million cyberattack on the hospital in 2013, Krebs on Security reports.

In April 2013, hackers accessed the payroll accounts of Chelan County Hospital No. 1, adding nearly 100 "money mules" to the payroll account, meaning unwitting accomplices that were paid to receive and send the money to the hackers. On April 19 and 20, the thieves processed three unauthorized payroll payments that siphoned about $1 million from the hospital. The bank was able to return about $400,000 to the hospital.

But in its lawsuit, Chelan Country alleges that an official with the Chelan County Treasurer's Office notified the bank of a suspicious transfer totaling $603,575 that occurred on April 22.

"No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer's Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers," according to suit.

The hospital alleges a breach of contract, arguing that the agreement between the bank and county incorporated regulations of the National Automated Clearinghouse Association that required the bank to implement a risk management program for all automated clearing house (ACH) payments.

Bank of America has denied the allegations in the lawsuit and said it did not ignore a warning about a fraudulent payment (Krebs on Security, 3/3).

Next in the Daily Briefing

Around the nation: March 5, 2015

Read now