.png)
The expression “there is no honor among thieves” was recently revived and proved true by the Russian Ransomware group, BlackCat. On February 6, 2023, BlackCat ransomed and encrypted the Pennsylvania-based Lehigh Valley Health Network (LVHN), which owns several medical practices, including oncology. After LVHN refused to pay the ransom, BlackCat specifically threatened and subsequently did release nude photos of cancer patients in retaliation against the network owner.
While the malicious and criminal elements initiating the cyber-attacks are undeniably culpable, there is a growing trend to hold the network owners responsible for poor and/or misleading cyber practices. Indeed, the Securities and Exchange Commission recently fined Blackbaud Inc., a South Carolina company offering data management software to non-profit organizations, $3 million for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.
Now, the victims of the LVHN ransomware attack are seeking damages from the healthcare center in a proposed class action filed with the Court of Common Pleas for Lackawanna County in Pennsylvania. Therein, the Jane Doe plaintiff alleges that nude photos of her were taken during cancer treatment, sometimes without her knowledge, and that “LVHN made the knowing, reckless, and willful, decision to let the hackers post the nude images of Plaintiff and others on the internet.” The Plaintiff asserts that LVHN did not reasonably secure or store the Plaintiff's sensitive information and “enacted unreasonable data security measures that it knew or should have known were insufficient to reasonably protect the highly sensitive information.”
After seeing the news of the cyber-attack on LVHN, the plaintiff claims that she emailed her physician on February 28, 2023, asking about the integrity of her sensitive information. However, plaintiff maintains that she was unaware of the existence of any nude photos kept by LVHN. On March 6, 2023, LVHN's Vice President of Compliance, called the Plaintiff to confirm that nude images of her were taken during radiation and posted online, along with the patient’s address, social security number, date of birth, diagnosis, and insurance information.
While the complaint fails to specify how LVHN failed to implement HIPAA-required cybersecurity precautions, the plaintiff follows the new practice of utilizing HIPAA standards to establish a legal duty sufficient to support a negligence claim despite the absence of a private right of action for the failure to adhere to regulatory requirements.
The attack against LVHN breaks new ground with both the disturbing methods employed by the bad actors and the potential jurisprudence stemming from the litigation. However, with extortion, and specifically “sextortion,” a growing trend for malicious actors and the predicted unavailability of cyber insurance, healthcare networks face new and terrifying threats and consequences of lax cybersecurity practices.