A US healthcare giant will pay out $65 million to settle a class-action lawsuit brought by its own patients after ransomware crooks stole their data – including their nude photographs – and published at least some of them online.
Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, discovered an IT intrusion on February 6, 2023 and later namedthenotorious ALPHV aka BlackCat gang for the attack.
Whoever was responsible, gigabytes of data describing 134,000 patients and staff was stolen by the extortionists. Names, addresses, Social Security numbers, and state ID data were stolen, as were medical records and surgical images. A ransom was demanded to avoid the info being leaked online.
According to a lawsuit [PDF] filed against LVHN in the following month, the medical group routinely took pictures of naked cancer patients – in some cases without their knowledge.
When the hospital refused to pay BlackCat's ransom to ensure the stolen data was not released, the cruel criminals posted the material online – and LVHN's customers were left fuming.
"While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims," the lawsuit states. "Rather than act in their patients' best interest, LVHN put its own financial considerations first."
LVHN publicly disclosed the attack on February 20 that year, and claimed its scope was limited.
On March 4, the ALPHV gang posted a warning on its website threatening to distribute the stolen images online unless LVHN paid up. The medical group refused, so the criminals went ahead and uploaded a selection of the pilfered material to their dark-web portal – including photographs with personally identifying information.
The court documents recount how an unidentified plaintiff was called by the hospital's vice president of compliance on March 6, with news that that naked images of her were now online, before offering – "with a chuckle" – two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.
While LVHN informed customers and staff of the privacy breach, ALPHV ratcheted up the pressure, leaking another 132GB of material online on March 10 and threatening to reveal more every week until the ransom was paid.
Court documents do not state if the ransom was ever paid, and neither LVHN nor the lawyers involved have responded to our inquiries.
- Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster
- Intruders at HealthEquity rifled through storage, stole 4.3M people's data
- Ransomware infection cuts off blood supply to 250+ hospitals
- Cancer patient forced to make terrible decision after Qilin attack on London hospitals
The plaintiff's lawyers argued that the hospital failed their duty of care to protect information. In addition, its actions were allegedly in violation of America's Health Insurance Portability and Accountability Act.
The healthcare group, while agreeing to the settlement terms, denied any wrongdoing.
LVHN has experience in this area. Back in July 2022 the medical group confirmed it had been the victim of a similar ransomware attack that affected 75,628 patients. It appears sufficient precautions were not taken to stop a repeat – which is unusual given that the medical sector is a prime target for ransomware scumbags.
The plaintiff's legal firm, Saltz Mongeluzzi Bendesky, claimed the settlement is "the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case." Those whose data was posted online have been categorized in four tiers, the lowest of which will receive $50 apiece for having had their medical records accessed. The highest tier – those whose nude pics appeared online – will receive between $70,000 and $80,000 - after the lawyers take their cut. ®