Fraud Management & Cybercrime , Governance & Risk Management , Healthcare
Breast Cancer Patients Sue Over Breached Exam Photos, Data
Health Group's Refusal to Pay Ransom Prioritized 'Money Over Patient Privacy'A cancer patient whose partially naked exam room photos and personal data were stolen and subsequently posted on a ransomware leak site last month filed a proposed class action lawsuit, alleging that Lehigh Valley Health Network's refusal to pay the ransom demand "prioritized money over patient privacy."
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The lawsuit, filed Monday in Lackawanna County, Pennsylvania, says the data leak by Russian-speaking ransomware-as-a-service group BlackCat earlier this month affected a Lehigh Valley Health cancer patient identified as "Jane Doe" and other patients.
BlackCat, also known as Alphv, on March 4 posted on its dark web site a warning to the health group that it would begin publishing stolen data, including patient photos, questionnaires, passports and other information (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
The lawsuit alleges that after Lehigh Valley Health refused to pay a ransom, BlackCat began posting exam photos of Jane Doe and another patient taken during stages of undress during their cancer radiation treatments.
BlackCat additionally uploaded a 132-gigabyte file onto its dark web site on Friday the group said contained more patient photos and data, along with a promise to leak additional data and photos every week until a ransom was paid, the complaint alleges.
The photos leaked on the dark web include images of disrobed breast cancer patients from the waist up. Lehigh Valley Health "prioritized money over patient privacy and refused to pay the hackers to keep the pictures private," the plaintiffs' attorneys said in their statement.
Patients were unaware the photos were in their medical files, "let alone susceptible to theft," says a statement issued Monday by attorneys representing plaintiffs.
The complaint alleges that "likely hundreds if not thousands" of individuals were affected by the Lehigh Valley Health Network incident.
Among other allegations, the lawsuit accuses the medical group of negligence in failing to secure patient information and privacy, breach of contract, and violations of HIPAA and other privacy regulations.
The lawsuit seeks injunctive relief to prevent Lehigh Valley Health Network from engaging in "wrongful and unlawful acts" that contributed to this incident, damages, plus punitive damages for conduct "allowing" sensitive patient photos be knowingly posted on the internet.
The lawsuit implies that hackers would not have leaked patients’ sensitive photos had the health center paid the extortionists’ demand. That's not necessarily the case, said privacy and security attorney Brad Rostolsky of the law firm Reed Smith.* “For better or worse, paying the ransom does not guarantee that the stolen information will not be disclosed to the general public."
”The ransom payment is typically exchanged for regained access to information that has been locked up by the cyber-criminal. Beyond that, and even if you pay the ransom, it’s hard to feel comfortable banking on the word of the very criminal who stole your data.”
Breach Details
LVHN President and CEO Brian Nester in a Feb. 22 statement said that BlackCat's ransomware attack had not disrupted the health network's operations (see: Pennsylvania Health System CEO Confirms BlackCat Attack).
Initial analysis found that the attack involved the network supporting one physician practice located in Lackawanna County and a computer system used for "clinically appropriate patient images for radiation oncology treatment and other sensitive information," Nester said.
LVHN's IT team on Feb. 6 detected unauthorized activity within its IT system, he said. The organization immediately launched an investigation, engaged leading cybersecurity firms and notified law enforcement, he said.
LVHN did not immediately respond to Information Security Media Group's request for comment on the lawsuit and for additional details pertaining to the incident.
Attorneys representing plaintiffs in the lawsuit also did not immediately respond to ISMG's request for comment.
As of Tuesday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals did not show a report for LVHN involving the February 2022 ransomware incident.
The HHS OCR website shows an earlier hacking incident involving a network server reported by LVHN in September 2020 as affecting nearly 81,500 individuals.
HHS issued an alert to healthcare sector firms in January about BlackCat ransomware and the growing threats related to the criminal group (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).
*Update March 15, 13:43 UTC: Adds comments from Brad Rostolsky.