A former student at Whitworth University in Spokane, Washington, has filed a lawsuit against the university after becoming the target of a ransomware attack discovered in July 2022.

The lawsuit was filed Thursday in U.S. District Court in Spokane and accuses the university of negligence after hackers were able to steal personal information including financial and health information of current and former students, staff, and faculty.

Although the ransomware attack was discovered in July, it was not until August that the university reported the attack as a “sophisticated security issue.” In October, the university reported the attack to the Washington attorney general's office. The attack affected 65,593 individuals, 36,564 of whom were Washington state residents.

Like most cyber attacks, ransomware attacks are conducted via social engineering tactics like email phishing in order to exploit a vulnerability in the system’s network. Ransomware attacks work by encrypting data so that a data owner cannot access it. Hackers then demand a ransom to decrypt the data and will not do so until the ransom is paid. If the ransom is not paid, hackers will often sell the data on the dark web to other bad actors.

Cyber security experts and government officials typically advise against paying the ransom, as doing so can help fuel this type of cyber attack. Additionally, even if a ransom was paid, sensitive information can still fall into the wrong hands after it’s become compromised. It is not clear if the university paid the ransom to recover the data in the July breach.

In alerting the public, the university shared a letter that explained, “Multiple unauthorized actors infiltrated our network” and were able to obtain information including names, student identification numbers, state identification numbers, passport numbers, Social Security numbers, and health data. Still, university officials maintained that the hackers were unable to retrieve a file that contained the most sensitive type of information. University and state officials have not disclosed who or what organization was behind the cyberattack.

According to the Washington Attorney General’s Office, there were 4.5 million Washingtonians who were the victims of cyberattacks in 2022, a tick down from the 6.5 million impacted individuals in 2021.

The lawsuit, which was filed by former student Patrick Loyola, accuses the school of not doing enough to prevent the attack from occurring in the first place. He contends that the university’s security systems were "completely inadequate and allowed cybercriminals to obtain files containing a treasure trove of thousands of its former and current students' highly sensitive ."

In its alert to impacted individuals, Whitworth University issued a free credit monitoring service. However, Loyola argues that the credit monitoring service “does not adequately address the lifelong harm that victims will face following the data breach.”

He adds that he has suffered "increased anxiety for the loss of privacy" which requires him to continually monitor his credit. The lawsuit goes on to say Loyola has “suffered imminent and impending injury from the substantially increased risk of fraud, identity theft, and misuse” of his personal information as a result of the data breach.

Loyola argues that the university’s negligence led him and others to suffer damages in excess of $5 million. Loyola is currently seeking class-action status for the lawsuit to help provide relief for others impacted.