Cancer patient sues hospital after ransomware gang leaks her nude medical photos

enaph

Level 28
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,775
A cancer patient whose nude medical photos and records were posted online after they were stolen by a ransomware gang, has sued her healthcare provider for allowing the "preventable" and "seriously damaging" leak.

The proposed class-action lawsuit stems from a February intrusion during which malware crew BlackCat (also known as ALPHV) broke into one of the Lehigh Valley Health Network (LVHN) physician's networks, stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people, and then demanded a ransom payment to decrypt the files and prevent it from posting the health data online.

The Pennsylvania health care group, one of the largest in the US state, oversees 13 hospitals, 28 health centers, and dozens of other physicians' clinics, pharmacies, rehab centers, imaging and lab services. LVHN refused to pay the ransom, and earlier this month BlackCat started leaking patient info, including images of at least two breast cancer patients, naked from the waist up.


"This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior," LVHN spokesperson Brian Downs said at the time.

According to the lawsuit [PDF] filed this week, here's how one of the patients, identified as "Jane Doe" found out about the data breach — and that LVHN had stored nude images of her on its network in the first place.

On March 6, LVHN VP of Compliance Mary Ann LaRock, called Doe and told her that her nude photos had been posted on the hackers' leak site. "Ms. LaRock offered plaintiff an apology, and with a chuckle, two years of credit monitoring," the court documents say.



In addition to swiping the very sensitive photos, the crooks also made off with everything needed for identity fraud.

According to the lawsuit, LaRock also told Doe that her physical and email addresses, along with date of birth, social security number, health insurance provider, medical diagnosis and treatment information, and lab results were also likely stolen in the breach.


"Given that LVHN is and was storing the sensitive information of plaintiff and the class, including nude photographs of plaintiff receiving sensitive cancer treatment, LVHN knew or should have known of the serious risk and harm that could occur from a data breach," the lawsuit says.

It claims LVHN was negligent in its duty to safeguard patients' sensitive information, and seeks class action status for everyone whose data was exposed with monetary damages to be determined.

Pennsylvania attorney Patrick Howard, who is representing Doe and the rest of the plaintiffs in the proposed class action, said he expects the number of patients affected by the breach to be in the "hundreds, if not thousands."

"The hospital invites patients into its facility and takes possession of this data," Howard told The Register. "The hospital must ensure that the data it takes is properly safeguarded, including these highly sensitive photographs. You give the expectation of safety and security, if you act negligently in providing that safety/security, you can be held liable regardless of the conduct of a third party."

LVHN declined to comment on the suit. "We do not comment on active legal matters," Downs told The Register.


According to the lawyers, this is the second data breach affecting the Pennsylvania health-care group's patients over the last few years. In 2021, LVHN admitted that patients' personal info was stolen from one of its vendors, we're told.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,439
I would not be surprised, if she played a role in it, considering that 2 patients had nude photos stored there and one of them has decided to sue the hospital. Ransomware is "ignored" lately, since insurance pays for damages, so maybe a hacker asked the lady to stick USB into PC while on a treatment and to share the profit later. Money is guaranteed and treatments are expensive.
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
725
I can understand her. As long as you don't make people high up the food chain bleed enough money they don't care about your little "identiy theft and nude picture problem" (little is meant as sarcasm just to be clear). So I can fully understand for her to sue them. When the damages you have to pay to victims of the leak become high enough maybe they will find money to use for better security the next time.

So if I understand it right her physical address was leaked together with nude pictures? What could possibly go wrong after that? I mean the world consist of saints, right?
 
Last edited:
F

ForgottenSeer 98186

I would not be surprised, if she played a role in it, considering that 2 patients had nude photos stored there and one of them has decided to sue the hospital.
Hospitals and hospital-based physician offices take patient photos every single day across the world. It is normal practice to take photos, particularly for cancer patients. This is normal practice for breast cancers.

The patient is not involved in the ransonmware attack, while it makes perfect sense that they (all of the cancer patients) would sue the hospital. It is unlikely that the patients will win the case - that is if it ever makes it to a civil trial by jury. The lawsuit is brought by ALL patients as a class-action case - probably thousands of patients - and not just a single person.

Ransomware is "ignored" lately, since insurance pays for damages, so maybe a hacker asked the lady to stick USB into PC while on a treatment and to share the profit later. Money is guaranteed and treatments are expensive.
Insurnace does pay, but the payouts are getting ridiculous. So what are the insurance companies doing as a consequence? They are making it more difficult for companies to obtain insurance and drastically raising their rates. Insurance companies are demanding the companies spend lots of money on protections (some effective, others not so much).

What does this mean for the consumer?

All those costs are being foisted onto consumers. Soon your 3 euro kapustnica will be 5 euros because of all the added cyber related expenses passed onto you. In countries with nationalized healthcare systems, those systems are already in financial crises even before the heavy cyber expenses.
 
Last edited by a moderator:
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top