ARTICLE
1 October 2024

Patient Photos Just Became A Prime Target For Cyber Criminals

BI
Buchanan Ingersoll & Rooney PC

Contributor

With 450 attorneys and government relations professionals across 15 offices, Buchanan Ingersoll & Rooney provides progressive legal, business, regulatory and government relations advice to protect, defend and advance our clients’ businesses. We service a wide range of clients, with deep experience in the finance, energy, healthcare and life sciences industries.
Lehigh Valley Health Network agreed to pay a $65 million settlement after nude photos of patients surfaced on the dark web following a cybersecurity incident.
United States Technology

Lehigh Valley Health Network agreed to pay a $65 million settlement after nude photos of patients surfaced on the dark web following a cybersecurity incident. Though medical information has long made health care providers a target for ransomware groups due to its private and sensitive nature, this settlement likely will result in increased attacks against the health care industry.

Following a cybersecurity incident, Lehigh Valley elected not to pay the $5 million ransom to BlackCat/ALPHV — a highly pernicious ransomware group that was responsible for the MGM Casino and Resort breach. Though the decision whether to pay a ransom varies significantly in each incident, it generally comes down to a question of financial risk.

Will paying the ransom offset the risk by more than the ransom amount?

In the case of personally identifiable information, such as social security numbers, and protected health information, the answer is generally no. This is because a class action lawsuit is almost guaranteed where the number of individuals impacted is greater than 1,000 — and that is the case whether the ransom is paid or not.

State laws and federal regulations require notifications to individuals, state attorneys general, and regulators in the event of a breach that affects a certain number of individuals. These breaches are publicly displayed on state attorneys general and regulators' websites. Plaintiff's law firms scape these sites, solicit class members, and file suit as quickly as possible — often using the same complaint over and over again. Data breach class action lawsuits rarely go to trial and often settle for several hundred thousand to several million dollars.

As a result, paying a ransom is economically impractical when personal information or protected health information is impacted. (Note: This calculus changes significantly when trade secrets or confidential business information is involved).

However — the Lehigh Valley settlement just changed this calculus. Now, ransomware actors are going to be on the hunt for .png, .jpeg, .mp4 and other image and video files stored on health care networks. If they find nude images or videos of patients, their bargaining chip exponentially increases in value.

When compared with a $65 million settlement, a $5 million ransom looks much more appealing — and that is what the ransomware groups are counting on.

As hackers penetrate American health-care firms with alarming regularity, the episode reveals how cyberthieves are exploiting uniquely sensitive data — with devastating human and financial consequences.

www.washingtonpost.com/...

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More