A health care system has agreed to settle a case with patients for $65 million, after their nude photos were leaked as a result of a ransomware attack. The Lehigh Valley Health Network refused to pay a ransom they claim was “in excess” of $5 million, after hackers got a hold of hundreds of nude photos of cancer patients as they underwent radiation treatments, eventually making good on their threat to release the photos. Radiation therapy often involves using photographic images of patients’ bodies to develop treatment plans.
A Lehigh Valley Health spokesperson stated that “patient, physician and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.” The medical records of over 134,000 patients and employees were exposed in the hack, 600 of whom had their nude photos leaked. “LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the Internet where they can stay forever,” according to the complaint from the plaintiffs’ attorneys, the firm Saltz Mongeluzzi Bendesky. “LVHN made the knowing, reckless, and willful decision to let the hackers post the nude images of Plaintiff and others on the Internet […] rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
The culprit in this case appears to be a Russian ransomware gang known as BlackCat, also going by the monikers ALPHV and Noberus. These titles technically apply to the ransomware code itself (written in the programming language Rust) as well as to those who use it. In circulation since November 2021, BlackCat works on a ransomware-as-a-service model, with developers offering the malicious code to interested parties in exchange for a cut of the ransom payments.
Earlier this year, UnitedHealth announced in its quarterly earnings report that it had suffered $872 million in losses due to “unfavorable cyberattack effects” caused by another BlackCat ransomware attack. UnitedHealth never admitted to paying anything to the criminals, although Wired reported at the time that $22 million worth of Bitcoin had been made over to BlackCat.
Ransomware is an increasingly pervasive issue. Surveying over 2,000 organizations in 2023, a report from Sophos found that 66% of respondents had been affected by ransomware. The sensitive nature of medical data and complex digital interfacing between hospitals, pharmacies, insurers etc. make health care organizations prime targets for cybercriminals. The medical journal JAMA estimates that ransomware attacks on hospitals and other providers doubled from 2016 to 2021.
LVHN recently completed a merger with the Philadelphia-based Jefferson Health, making it one of the 15 largest non-profit health systems in the country, with over 700 care sites and 32 hospitals across Pennsylvania and South Jersey.