A Pennsylvania cancer patient filed a lawsuit against the health care provider on Monday, claiming that the organization’s failure to protect her sensitive data amounts to negligence and a breach of its basic duties to safeguard her medical records.
The suit is just the latest against hospitals that have suffered ransomware attacks resulting in the exposure of sensitive patient files. This Pennsylvania suit against the Lehigh Valley Health Network came after hackers posted nude photos of the cancer patient along with her health records, another sign that ransomware gangs are becoming more brazen in their efforts to convince victims to comply with extortion demands.
Last month, in an increasingly common experience for hospitals, the AlphV/BlackCat ransomware crew posted a notice on the dark web announcing that it had penetrated Lehigh’s system and was prepared to publish files if the provider didn’t pay. The revealing photos of the woman who brought the suit, identified only as Jane Doe, were apparently among several documents the group posted as proof of their access to Lehigh’s network.
“We have the data of your client base of patients, namely their passports, personal data, questionnaires, nude photos and the like,” the group said in its first post on March 4, alongside screenshots of apparent medical records and photos of what appeared to be breast cancer patients undergoing care. Then, on March 10, the group added another post and a link to download 132 gigabytes of data after Lehigh apparently failed to comply with their demands. “Follow the link to the data and enjoy,” the post read. “We’ll be doing this until we post a complete list of 1 TB dates.”
The Lehigh Valley Health Network suffered the attack on Feb. 6, and publicly disclosed that it was the victim of a cyberattack in a Feb. 22 statement posted to the company’s site. The ransomware group demanded payment but the company “refused to pay this criminal enterprise,” the statement read.
An updated statement shared with media last week and provided to CyberScoop on Tuesday said the company was working with cybersecurity firms to analyze the scope of the exfiltrated data, and acknowledged that AlphV/Black Cat had posted additional data. “[W]e expect this shameful tactic to continue,” the statement read, adding that “this despicable act is executed by cyber criminals trying to make money by taking advantage of our patients and colleagues caring for patients and we condemn this reprehensible exploitation.”
According to the lawsuit, Doe saw media coverage of the breach and emailed her physicians on Feb. 28 asking whether her information was lost. “At that point, [Doe] had no idea that LVHN stored nude images of her on its computer network,” the suit reads. On March 6, the company’s vice president of compliance contacted Doe and notified her that nude images were posted online. The official, Mary Ann LaRock, offered “an apology, and with a chuckle, two-years of credit monitoring,” according to the suit. Doe contacted local police and filed a police report.
The suit seeks class action status for all parties whose data was exposed, and monetary damages to be determined later.
Given the history of cyberattacks on medical facilities and the sensitive and valuable nature of the data involved, the suit alleges, the company “knew or should have known of the serious risk and harm that would occur from a data breach.” And despite “the abundance and availability of information regarding cybersecurity best practices for the healthcare industry and the prevalence of health care data breaches, LVHN inexplicably failed to adopt sufficient data security practices.”
A company spokesperson declined to comment on the lawsuit.
Ransomware attackers have for years targeted hospitals and other medical facilities, given that the nature of the highly sensitive data and the need for the facilities to get systems back online rapidly could lead to both higher payments and shorter negotiation times. There were at least 25 ransomware incidents last year involving hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals, according to cybersecurity company Emsisoft.
The Department of Health and Human Services Office for Civil Rights is currently investigating 869 health information-related data breaches affecting 500 or more people reported within the last two years, according to data posted to the agency’s breach portal. With breach causes including hacking/IT incidents and unauthorized access/disclosure, the cases collectively involve a potential 78 million people.