ALLENTOWN, Penn. — A Pennsylvania-based healthcare system has agreed to pay $65 million to the victims of a Feb. 2023 ransomware attack that resulted in nude treatment photos being posted online.
The data of nearly 135,000 patients and employees were exposed when Russia-based ransomware group BlackCat hacked one physician practice within the Lehigh Valley Health Network. Of those patients, over 600 had their personal medical records accessed, including clinically appropriate images of oncology treatments.
To pressure LVHN into paying a $5 million ransom, BlackCat began releasing stolen data on its leak site, including screenshots of documents with patient diagnoses and images of three breast cancer patients, naked from the waist up. In total, around 132 gigabytes of information and images were uploaded to the dark web, KFOR reports.
RELATED ARTICLE: 2,000 Critical Access Hospitals to Receive Free Cybersecurity Services
One of the patients whose nude photos were leaked, identified as Jane Doe, filed a lawsuit against LVHN, claiming it was negligent in its duty to safeguard patients’ sensitive information. The patient accused LVHN of putting its own “financial considerations” above “their patients’ best interest” and sought class-action status for everyone whose data was exposed.
As part of the settlement, which is subject to approval by a judge, each victim will receive a payment ranging from $50 to $70,000. Those who had their photos published online will receive 80% of the settlement money.
Carter Groome, chief executive of cybersecurity firm First Health Advisory, told CNN that the settlement “shifts the legal, insurance and adversarial ecosystem.”
“If you’re protecting health data as a crown jewel — as you should be — images or photos are going to need another level of compartmentalized protection,” he continued.
Healthcare Cyber Attacks Up 128%
BlackCat has gained notoriety for cyber attacks against academic campuses and healthcare institutions. The group also claimed to be behind another high-profile Feb. 2023 attack against Change Healthcare, a health insurance billing firm. The cyber attack brought hospitals and small practices across the U.S. to a standstill because providers could no longer settle patients’ bills, according to Daily Mail.
According to an internet crime report released by the FBI in June, cyber attacks against the healthcare sector increased 128% in a single year, with 258 attacks in 2023 versus 113 in 2022.
The FBI maintains organizations should not pay a ransom because it doesn’t guarantee they’ll get data back and it encourages more ransomware activities. However, following the LVHN incident, cybersecurity experts said the attack may indicate a shift in attackers’ desperation as ransomware targets increasingly refuse to pay.
RELATED ARTICLE: Heritage Valley Health System to Pay $950,000 Fine Over Ransomware Breach
“Other organizations will look at this case and say, well, maybe if I do pay $5 or $10 million in ransom, maybe I won’t have to face a class-action lawsuit,” said Groome.
The 2023 IBM Security Cost of a Data Breach Report found the average data breach cost in the U.S. is $9.48 million. For the thirteenth year in a row, the report also determined healthcare data breaches are the costliest, with an average cost of $10.93 million — a 53.3% increase over the previous three years. This July, the White House announced its partnership with Microsoft and Google to offer free cybersecurity services to approximately 2,000 critical access hospitals in rural areas.
LHVN defended its decision to refuse to pay the hackers but said it would continue to enhance its cybersecurity defenses. The healthcare group, one of the largest in the state, oversees 13 hospitals, 28 health centers, and dozens of other physicians’ clinics, pharmacies, rehab centers, imaging, and lab services.