After hackers stole millions of highly sensitive records from a Goodwin client, an electronic health records company, they threatened to release them on the internet unless they were paid an enormous amount ­– the largest cyber ransom the FBI agents assigned to the case had ever seen. Goodwin’s Privacy + Cybersecurity practice managed to negotiate the ransom amount down to an affordable level for the client while keeping the records out of the public domain.

Client challenge

When FBI agents alerted the company about the breach and the company received an exorbitant ransom demand, the company – facing considerable financial and reputational risk – turned to Goodwin to counsel them on their response.

Our approach

Goodwin’s Data Privacy + Cybersecurity team quickly leaped into action, aiming to reduce risk to reputation and exposure to unreasonable ransom demands. Goodwin attorneys worked with the FBI to determine how to handle the hackers’ repeatedly heated warnings: “Time is running out. You need to close the deal,” they wrote in one instance. “Your silence will cost your business. You'll be bankrupt,” they wrote in another. Goodwin counseled the company in how to respond every step of the way, even on and through a Christmas holiday.


Ransom situations are often a take-it-or-leave-it proposition. In this case, Goodwin attorneys successfully reduced the hackers’ demands by 90 percent, keeping the records private while satisfying the client. In the end, records themselves were never published, and the client was relieved. Goodwin’s team continued advising the company in the months after the ransom situation was resolved to ensure they met all of their breach notification and HIPAA regulatory requirements.