In 2023, hackers published intimate photos of LVHN patients.
One of Pennsylvania's largest healthcare organizations, the Lehigh Valley Health Network (LVHN), has agreed to pay $65 million to settle a class-action lawsuit filed by patients after their personal data was leaked in a ransomware attack. The leaked data included not only personal information such as names, addresses and social security numbers, but also medical records and photographs, including images of naked patients, which were partially published online.
The intrusion into LVHN's IT systems was discovered on February 6, 2023. The ALPHV hacking group, also known as BlackCat, was blamed for the attack. The criminals stole gigabytes of data from 134 thousand patients and employees and demanded a ransom, threatening otherwise to make the stolen information public.
According to a lawsuit filed in March 2023, the medical organization systematically took nude pictures of patients undergoing cancer treatment, sometimes without their knowledge. After LVHN refused to pay the ransom, the cybercriminals carried out their threat and began publishing the stolen data, including photos with personal information.
The medical network publicly announced the hacker attack on February 20, claiming that its scope was limited. However, on March 4, the ALPHV group posted a warning on its website that it was going to make the stolen images public if a ransom was not paid. Despite LVHN's refusal, on March 10, the criminals released another 132 GB of data and promised to continue leaking every week.
One of the plaintiffs, who received a notice that her nude images were in the public domain, said that she did not even suspect that she was photographed during breast cancer treatment, much less that these images were stored on the servers of the medical network. Moreover, she was outraged by the reaction of an LVHN representative, who informed her about the leak with a sneer, offering two years of free credit monitoring as compensation.
The plaintiffs' lawyers allege that LVHN violated its obligations to protect the privacy of patient data, which is also a violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). However, the medical network did not admit its guilt, despite agreeing to pay compensation.
According to law firm Saltz Mongeluzzi Bendesky, this settlement was the largest of its kind in a case involving a data breach as a result of a ransomware attack. Patients whose data was published online will receive compensation, divided into four categories. The smallest payout amount is $50 for those whose medical records have been compromised. The largest compensation in the amount of 70 to 80 thousand dollars will be received by those whose nude photos ended up on the network.
Lehigh Valley Health Network has been subjected to cyberattacks before. In July 2022, the organization fell victim to a similar incident, as a result of which the data of almost 76 thousand patients was compromised. Despite this, the necessary measures were not taken to prevent a second attack, raising questions about the preparedness of the medical network to counter cyber threats.
Source
One of Pennsylvania's largest healthcare organizations, the Lehigh Valley Health Network (LVHN), has agreed to pay $65 million to settle a class-action lawsuit filed by patients after their personal data was leaked in a ransomware attack. The leaked data included not only personal information such as names, addresses and social security numbers, but also medical records and photographs, including images of naked patients, which were partially published online.
The intrusion into LVHN's IT systems was discovered on February 6, 2023. The ALPHV hacking group, also known as BlackCat, was blamed for the attack. The criminals stole gigabytes of data from 134 thousand patients and employees and demanded a ransom, threatening otherwise to make the stolen information public.
According to a lawsuit filed in March 2023, the medical organization systematically took nude pictures of patients undergoing cancer treatment, sometimes without their knowledge. After LVHN refused to pay the ransom, the cybercriminals carried out their threat and began publishing the stolen data, including photos with personal information.
The medical network publicly announced the hacker attack on February 20, claiming that its scope was limited. However, on March 4, the ALPHV group posted a warning on its website that it was going to make the stolen images public if a ransom was not paid. Despite LVHN's refusal, on March 10, the criminals released another 132 GB of data and promised to continue leaking every week.
One of the plaintiffs, who received a notice that her nude images were in the public domain, said that she did not even suspect that she was photographed during breast cancer treatment, much less that these images were stored on the servers of the medical network. Moreover, she was outraged by the reaction of an LVHN representative, who informed her about the leak with a sneer, offering two years of free credit monitoring as compensation.
The plaintiffs' lawyers allege that LVHN violated its obligations to protect the privacy of patient data, which is also a violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). However, the medical network did not admit its guilt, despite agreeing to pay compensation.
According to law firm Saltz Mongeluzzi Bendesky, this settlement was the largest of its kind in a case involving a data breach as a result of a ransomware attack. Patients whose data was published online will receive compensation, divided into four categories. The smallest payout amount is $50 for those whose medical records have been compromised. The largest compensation in the amount of 70 to 80 thousand dollars will be received by those whose nude photos ended up on the network.
Lehigh Valley Health Network has been subjected to cyberattacks before. In July 2022, the organization fell victim to a similar incident, as a result of which the data of almost 76 thousand patients was compromised. Despite this, the necessary measures were not taken to prevent a second attack, raising questions about the preparedness of the medical network to counter cyber threats.
Source
