The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lehigh Valley Health Network Sued After Ransomware Gang Publishes Nude Patient Images

Posted By on Mar 15, 2023

A lawsuit has been filed against Lehigh Valley Health Network (LVHN) over its recent BlackCat ransomware attack. The attack saw files encrypted after data was exfiltrated as is typical in ransomware attacks; however, the attack stood out due to the aggressive move of the threat group to increase the pressure on LVHN to pay the ransom. Naked images of breast cancer patients were published on the group’s data leak site, along with medical questionnaires, passports, and other sensitive patient data such as driver’s license numbers, Social Security numbers, medical diagnosis/treatment information, and lab results.

LVHN held firm and refused to pay the ransom. The Federal Bureau of Investigation (FBI) advises against paying ransoms in ransomware attacks as payment encourages further attacks, there is no guarantee that payment will put an end to the extortion, nor does it guarantee that stolen data will be deleted. The lawsuit claims that LVHN prioritized money over patient privacy by refusing to pay.

The lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania on behalf of plaintiff Jane Doe and similarly situated individuals. According to the lawsuit, cancer patients receiving treatment at LVHN were photographed nude, often unbeknownst to the patients themselves, and the naked images were then stored on LVHN’s network. LVHN said the photographs were clinically appropriate. The lawsuit alleges the BlackCat ransomware group issued its ransom demand and notified LVHN that it had obtained the images and would start publishing them on its data leak site if its ransom demand was refused, then proceeded to do that when payment was not made. BlackCat has also threatened to publish further data each week if its ransom demand continues to be refused.

“LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the Internet where they can stay forever,” stated the plaintiff’s attorneys. “LVHN made the knowing, reckless, and willful decision to let the hackers post the nude images of Plaintiff and others on the Internet… rather than act in their patients’ best interest, LVHN put its own financial considerations first.” The lawsuit seeks to hold LVHN to account for the embarrassment and humiliation that it has caused the plaintiff and class members.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In addition to the embarrassment and humiliation caused by the publication of naked images, the plaintiff and class members have also had their sensitive information stolen and published online. The theft and publication of data have put the plaintiff and class at risk of identity theft and fraud, resulting in them incurring out-of-pocket expenses and covering the cost of expensive and time-consuming efforts to mitigate the risk of fraud.

The lawsuit alleges LVHN knew or should have known about the foreseeable and catastrophic consequences of healthcare ransomware attacks and data breaches as multiple alerts had been issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Trade Commission, yet LVHN failed to implement appropriate and reasonable measures to protect against ransomware attacks. The lawsuit claims LVHN’s conduct violated nine HIPAA provisions and makes allegations of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, breach of confidence, and publicity given to private life. The lawsuit seeks class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket- costs, and equitable and injunctive relief, including improvements to LVHN’s data security systems, annual security audits, and the provision of identity theft protection services to the plaintiff and class.

The lawsuit was filed by Simon VB. Harris and Patrick Howard of the law firm Saltz, Mongeluzzi, & Bendesky, P.C.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist