Lehigh Valley Health Network agreed to pay a $65 million
settlement after nude photos of patients surfaced on the dark web
following a cybersecurity incident. Though medical information has
long made health care providers a target for ransomware groups due
to its private and sensitive nature, this settlement likely will
result in increased attacks against the health care industry.
Following a cybersecurity incident, Lehigh Valley elected not to
pay the $5 million ransom to BlackCat/ALPHV — a highly
pernicious ransomware group that was responsible for the MGM Casino
and Resort breach. Though the decision whether to pay a ransom
varies significantly in each incident, it generally comes down to a
question of financial risk.
Will paying the ransom offset the risk by more than the ransom
amount?
In the case of personally identifiable information, such as social
security numbers, and protected health information, the answer is
generally no. This is because a class action lawsuit is almost
guaranteed where the number of individuals impacted is greater than
1,000 — and that is the case whether the ransom is paid or
not.
State laws and federal regulations require notifications to
individuals, state attorneys general, and regulators in the event
of a breach that affects a certain number of individuals. These
breaches are publicly displayed on state attorneys general and
regulators' websites. Plaintiff's law firms scape these
sites, solicit class members, and file suit as quickly as possible
— often using the same complaint over and over again. Data
breach class action lawsuits rarely go to trial and often settle
for several hundred thousand to several million dollars.
As a result, paying a ransom is economically impractical when personal information or protected health information is impacted. (Note: This calculus changes significantly when trade secrets or confidential business information is involved).
However — the Lehigh Valley settlement just changed this calculus. Now, ransomware actors are going to be on the hunt for .png, .jpeg, .mp4 and other image and video files stored on health care networks. If they find nude images or videos of patients, their bargaining chip exponentially increases in value.
When compared with a $65 million settlement, a $5 million ransom looks much more appealing — and that is what the ransomware groups are counting on.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.