LVHN ransomware attack affected almost 2,800 patients
A ransomware attack on Lehigh Valley Health Network led to sensitive photos of nearly 2,800 cancer patients leaked on the dark web, according to a recent court filing.
The data breach led to a class-action lawsuit against LVHN, which is trying to move the matter from Lackawanna County Court to U.S. District Court.
“From the information published on the dark web, it is apparent that well in excess of two-thirds of the individuals from the security breach are from Pennsylvania, and in particular northeastern Pennsylvania,” Patrick Howard, an attorney for the class-action members impacted by the breach, wrote in a letter to U.S. District Judge Malachy Mannion this week. “LVHN has identified 2,760 individuals who are victims of the security incident and it should be required to simply confirm whether more than 920 of those individuals reside outside of Pennsylvania.”
The matter, Howard said, arises from a data breach that began at some point in January. After learning of the breach in February, he added, LVHN refused the data hacker’s demands to pay a more than $5 million ransom and as a result, the hackers, on March 10, posted nude images of numerous LVHN patients on the dark web.
“In addition to the nude photographs, there are thousands of medical records, personnel files (both current and former employees), treatment plans, billing records, and other sensitive information posted for anyone to download,” Howard said.
The plaintiff, identified as Jane Doe, notified LVHN on April 4 that she was seeking an injunction to have the ransom paid so the sensitive information would be removed from the dark web and to require LVHN notify those impacted by the security breach so they are made aware that their personal information is/was available for download from the dark web.
In a statement disclosing the attack on Feb. 20, Brian Nester, president and CEO of Lehigh Valley Health Network, said it was launched by a gang known as BlackCat with ties to Russia.
“Our initial analysis shows that the incident involved a computer system used for clinically appropriate patient images for radiation oncology treatment and other sensitive information,” Nester said in the statement. “BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise.
“We understand that BlackCat has targeted other organizations in the academic and health care sectors.”
Howard said he will file a formal motion to send the lawsuit back to state court.
“Every day this case remains unresolved is another day that nude images of the plaintiff and other class members remain available for download from the dark web,” he said.