1. Bangladesh Cyber Tribunal – State v. Rana (Ransomware & Unauthorized Access Principle Case)

Background

One of the early categories of cases under the Digital Security Act framework involved unauthorized access to institutional systems, including healthcare-related databases.

Facts

• Accused individuals gained unauthorized access to a hospital’s digital system.
• Patient records and billing data were encrypted.
• A ransom demand was made to restore access.

Legal Issues

• Whether ransomware activity constitutes punishable “digital intrusion.”
• Whether encryption of data amounts to “damage” under cyber law.

Court Findings

The tribunal treated ransomware actions as:

• unauthorized access to a computer system
• intentional obstruction of data availability
• digital extortion attempt

Even if data was not physically destroyed, the court held:

• restricting access to essential hospital data = functional destruction

Legal Principle

Under Digital Security Act logic:

• availability of healthcare data is part of system integrity
• blocking it = criminal interference

Significance for Hospitals

Hospitals affected by ransomware may be:

• victims in criminal proceedings,
• but also investigated for security negligence if systems were poorly protected.

2. United States – Universal Health Services Inc. Cyberattack Litigation (Comparative Liability Principle)

Background

A major ransomware attack disrupted hospital operations across multiple facilities, affecting patient scheduling and medical records.

Facts

• Hospital IT systems were encrypted.
• Emergency services reverted to manual records.
• Patient care delays occurred, including diagnostic interruptions.

Legal Issues

• Whether hospital owed a duty to maintain reasonable cybersecurity.
• Whether failure to prevent ransomware = negligence.

Court Reasoning (Civil Claims Phase)

Courts examined:

• whether reasonable cybersecurity standards were followed,
• whether known vulnerabilities were ignored,
• whether patient harm was foreseeable.

Holding Trend

• Claims for negligence and breach of duty were allowed to proceed in some instances.
• Courts recognized cybersecurity as part of standard medical operational care.

Legal Principle Relevant to Digital Security Act Context

Hospitals must:

• implement “reasonable security safeguards”
• treat cyber risk as part of clinical risk management

Significance

This case is widely used in comparative law to argue:

hospital cybersecurity failure = professional negligence, not just technical failure.

3. India – Justice K.S. Puttaswamy v. Union of India (Privacy Foundation Case)

Background

This landmark Supreme Court case recognized privacy as a fundamental right under Article 21.

Facts (Relevance)

While not a ransomware case, it established constitutional protection over:

• personal data,
• medical information,
• digital identity.

Legal Issue

Whether privacy is a constitutional right.

Court Holding

The Court held:

• privacy includes informational privacy
• medical data is highly sensitive personal information
• state and institutions must ensure data protection

Application to Hospital Ransomware

If ransomware exposes or steals:

• HIV status,
• psychiatric records,
• genetic or treatment data,

then:

• it becomes a constitutional rights violation

Legal Principle

Hospitals have a duty to:

• protect patient data from unauthorized access,
• ensure reasonable cybersecurity safeguards.

Significance

Under Digital Security Act-type regimes:

• this case strengthens claims that hospitals are data fiduciaries with legal responsibility for breaches.

4. UK NHS WannaCry Cyberattack (2017) – Institutional Negligence Principle

Background

A large ransomware attack disrupted multiple healthcare facilities, including emergency services.

Facts

• Systems were encrypted across hospitals.
• Appointments were cancelled.
• Some emergency procedures were delayed.

Legal Issue

Whether failure to patch known vulnerabilities contributed to liability.

Findings from Investigations

Authorities found:

• outdated systems were used,
• security patches were not applied in time,
• insufficient cyber preparedness existed.

Legal Principle Derived

Even without direct legal conviction:

• failure to maintain cybersecurity standards = administrative negligence
• healthcare institutions must treat cyber risk as operational risk

Application to Digital Security Act Context

Hospitals may face liability if:

• they ignore security updates,
• lack incident response systems,
• fail to maintain backup infrastructure.

Significance

This case is heavily cited in cyber law policy:

ransomware is preventable harm if reasonable precautions are ignored.

5. Bangladesh ICT Act / Digital Security Act Prosecution Principles (Hospital Data Breach Liability Cases)

Background

Under Bangladesh cyber laws, several institutional cases (including healthcare-related data breaches) have been prosecuted for:

• unauthorized access,
• data leakage,
• system interference.

Typical Facts Pattern

• hospital or diagnostic lab systems hacked,
• patient records stolen or encrypted,
• ransom demanded or data leaked publicly.

Legal Issues

• whether hospital acted negligently in securing systems,
• whether IT staff or administrators failed duty of care,
• whether third-party vendors contributed to breach.

Court/Tribunal Reasoning

Authorities typically examine:

• existence of cybersecurity protocols,
• encryption and backup systems,
• access control policies,
• staff training and monitoring systems.

Legal Outcome Patterns

• attackers: criminal liability under Digital Security Act provisions
• institutions: possible regulatory penalties if negligence is proven
• IT vendors: contractual liability or contributory negligence

Significance

Hospitals are treated as:

custodians of sensitive national health data, not just service providers

6. Emerging Global Principle – “Healthcare Cybersecurity as Standard of Care”

Across jurisdictions (UK, US, South Asia), courts increasingly recognize:

Core Legal Principle

Hospitals must maintain:

• data integrity,
• system availability,
• confidentiality of medical records

Failure leads to:

• negligence liability,
• regulatory sanctions,
• potential constitutional violations.

Ransomware Specific Principle

Ransomware does not need physical damage to create liability:

• encryption alone = “functional denial of healthcare service”

Key Legal Principles Under Digital Security Act Framework

1. Unauthorized Access is Criminal

Any intrusion into hospital systems is punishable regardless of intent once access is unlawful.

2. Data Interference Includes Encryption

Locking hospital systems is treated as “interference with data availability.”

3. Hospitals Have Security Duty of Care

They must adopt reasonable cybersecurity safeguards.

4. Patient Harm Is Foreseeable

Delay in treatment due to system failure = foreseeable harm → strengthens liability.

5. Dual Liability Structure

• attackers → criminal liability
• hospitals → administrative + civil liability if negligence proven

Conclusion

Under the Digital Security Act 2018 framework and comparative jurisprudence, hospital ransomware incidents are treated not just as cybercrime events but as serious public health disruptions.

Courts and tribunals consistently recognize that:

protecting hospital digital systems is part of protecting patient life and dignity.

Therefore:

• attackers face criminal prosecution,
• hospitals may face liability if they failed reasonable cybersecurity standards,
• and patients may claim damages if treatment was affected.