A cancer patient whose nude treatment photos and medical records were posted online after they were stolen in a ransomware attack, has sued the healthcare provider for allowing a “preventable” and “seriously damaging” incident.
The proposed class-action lawsuit stems from a February intrusion during which ransomware gang BlackCat (also known as ALPHV) broke into one of the Lehigh Valley Health Network (LVHN) physician’s networks, stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people, and then demanded a ransom payment to decrypt the files and prevent it from posting the health data online.
The Pennsylvania health care group, one of the largest in the state, oversees 13 hospitals, 28 health centers, and dozens of other physicians’ clinics, pharmacies, rehab centers, imaging and lab services. LVHN refused to pay the ransom, and earlier this month BlackCat started leaking patient info, including images of at least two breast cancer patients, naked from the waist up.
“This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior,” LVHN spokesperson Brian Downs said at the time.
Ms. LaRock offered plaintiff an apology, and with a chuckle, two years of credit monitoring
According to the lawsuit [PDF] filed this week, here’s how one of the patients, identified as “Jane Doe” found out about the data breach — and that LVHN had stored nude images of her on its network in the first place.
On March 6, LVHN VP of Compliance Mary Ann LaRock, called Doe and told her that her nude photos had been posted on the hackers’ leak site. “Ms. LaRock offered plaintiff an apology, and with a chuckle, two years of credit monitoring,” the court documents say.
In addition to swiping the very sensitive photos, the crooks also made off with everything needed for identity fraud.
According to the lawsuit, LaRock also told Doe that her physical and email addresses, along with date of birth, social security number, health insurance provider, medical diagnosis and treatment information, and lab results were also likely stolen in the breach.
“Given that LVHN is and was storing the sensitive information of plaintiff and the class, including nude photographs of plaintiff receiving sensitive cancer treatment, LVHN knew or should have known of the serious risk and harm that could occur from a data breach,” the lawsuit says.
It claims LVHN was negligent in its duty to safeguard patients’ sensitive information, and seeks class action status for everyone whose data was exposed with monetary damages to be determined.
Pennsylvania attorney Patrick Howard, who is representing Doe and the rest of the plaintiffs in the proposed class action, said he expects the number of patients affected by the breach to be in the “hundreds, if not thousands.”
“The hospital invites patients into its facility and takes possession of this data,” Howard told The Register. “The hospital must ensure that the data it takes is properly safeguarded, including these highly sensitive photographs. You give the expectation of safety and security, if you act negligently in providing that safety/security, you can be held liable regardless of the conduct of a third party.”
LVHN declined to comment on the suit. “We do not comment on active legal matters,” Downs told The Register.
According to the lawyers, this is the second data breach affecting the Pennsylvania health-care group’s patients over the last few years. In 2021, LVHN admitted that patients’ personal info was stolen from one of its vendors, we’re told. ®