Ransomware Gangs Release Naked Photos of Cancer Patients, Student Sexual Assault Records

Cybersecurity experts say ransomware groups are going to extremes as more organizations refuse to pay ransoms.

Ransomware Gangs Release Naked Photos of Cancer Patients, Student Sexual Assault Records

Photo: romaset, Adobe Stock

A Russia-based ransomware group published naked photos of patients undergoing cancer treatment after a Pennsylvania healthcare organization refused to pay a ransom.

Lehigh Valley Health Network (LVHN) recently announced it was dealing with a ransomware attack that was detected on Feb. 6, reports The HIPAA Journal. LVHN confirmed the BlackCat ransomware group was behind the attack and issued a ransom demand to prevent the release of stolen data.

LVHN President and CEO Brian Nester said when it refused, the group attacked the network used to support a physician practice in Lackawanna County. The healthcare group, one of the largest in the state, oversees 13 hospitals, 28 health centers, and dozens of other physicians’ clinics, pharmacies, rehab centers, imaging, and lab services.

The hacked system contained clinically appropriate images of patients receiving oncology treatment and other sensitive patient data. To pressure LVHN into paying the ransom, BlackCat began releasing stolen data on its leak site, including screenshots of documents with patient diagnoses and images of three breast cancer patients, naked from the waist up.

Last week, one of the patients whose photos were stolen filed a lawsuit against LVHN, claiming it was negligent in its duty to safeguard patients’ sensitive information and seeking class-action status for everyone whose data was exposed. The lawsuit alleges the patient was told that her physical and email addresses, date of birth, social security number, health insurance provider, medical diagnosis, treatment information, and lab results were also likely stolen in the breach.

According to Wired, cybersecurity experts say the situation at LVHN may indicate a shift in attackers’ desperation as ransomware targets increasingly refuse to pay.

“As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques,” said Allan Liska, an analyst for security firm Recorded Future. “I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim.”

On March 7, another ransomware gang known as Medusa escalated its tactics by releasing data stolen from Minneapolis Public Schools in February after it refused to pay a $1 million ransom. The group leaked photos that included screenshots of handwritten notes describing a sexual assault allegation and the names of three students allegedly involved in the incident. Medusa also posted a 50-minute video of attackers scrolling through all the data they stole from the district, which includes records related to students, staff, and parents that date back to 1995. HIPAA Journal describes this as a “novel twist” as attackers don’t typically reveal precisely what data they have stolen.

However, recent data suggests refusals to pay may be working. The FBI Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report that it received 2,385 reports of ransomware attacks in 2022, totaling $34.3 million in losses. In 2021, there were 3,729 ransomware complaints totaling $49 million in losses.

According to Coveware, a ransomware recovery company, only 37% of victims paid a ransom following a ransomware attack in Q4 2022, compared to 76% of victims in 2019. Coveware says there are other factors driving down the profitability of ransomware attacks, including greater investment in security and incident response planning. The company also says that as revenue from ransomware attacks decreases, operating costs to carry out attacks increases, meaning fewer bad actors can make a living from issuing ransomware — hence the need to adopt new tactics.

“We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids,” said Brett Callow, a threat analyst for antivirus company Emsisoft. “I hope that these tactics will bite them in the butt and that companies will say no, we cannot be seen funding an organization that does these heinous things. That’s my hope anyway.”

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ