Lehigh Valley Health Network (LVHN), a US-based healthcare provider, agreed to pay victims $65 million after Russia-linked hacker group ALPHV leaked nude images of LVHN’s cancer patients.
The attack which eventually led to LVHN’s patients suing the company took place in early 2023, after ALPHV/BlackCat ransomware cartel breached the healthcare providers’ systems and siphoned gigabytes of sensitive data on 135,000 patients.
According to Saltz Mongeluzzi Bendesky, a legal firm representing the victims of the exposed individuals, attackers published sensitive data of at least 600 of LVHN’s patients.
According to the lawsuit, which LVHN opted to settle, cancer patients receiving treatment were photographed in the nude, often without their knowledge. The pictures were stored on LHVNs network, which the ransomware cartel successfully infiltrated.
The settlement case should receive its final approval on November 15th, with the law firm expecting that funds will be distributed next year. Settlement Class members will receive payments ranging from $50 to $70,000. Victims who had their nude photos leaked will receive the maximum payment.
Ransomware cartels often publish bits of stolen data to force breached companies into paying the ransom. ALPHV did just that, publishing data and photos of likely breast cancer patients on its darkweb blog. LVHN said it refused to pay the ransom demanded by hackers.
Authorities advise against paying hackers, saying that there’s no guarantee threat actors will decrypt data. Paying the ransom may also invite unwelcome attention from other syndicates, as criminals start seeing the victim as solvent.
However, the class action lawsuit indirectly blames LVHN for not paying the ransom, saying that “LVHN needed to act with serious consideration of the consequences that would befall patients if those images were released on the internet […]. LVHN made the knowing, reckless and willful, decision to let the hackers post nude images of Plaintiff and others on the internet.”
Meanwhile, paying the ransom hardly guarantees safety. According to a recent report from cybersecurity firm Halcyon, “of the organizations that opted to pay a ransom demand, the majority (78%) said the attackers failed to provide a working decryptor or data was corrupted upon decryption.”
A survey of mostly IT companies in the US, UK, France and Germany from Semperis, another cybersecurity firm, showed that 72% of companies that paid the ransom, did so multiple times, with a third paying four or more times.
Arguably, the real issue behind LVHN breach was not the organization refusing to pay the cybercriminals, but having sensitive personal identifiable information (PII) stored together with highly sensitive images, which could be linked with patients’ names.
LVHN is a Pennsylvania-based healthcare provider, comprised of 13 hospital campuses, 28 health centers, 20 express care locations and additional pharmacies, practices, rehabilitation centers, and other service providers.
The culprits, ALPHV/BlackCat ransomware, left the ransomware landscape earlier this year, after faking an FBI takedown. Experts believe the move was a so-called “exit scam,” a move where heads of the gang take ransom payment that affiliates collected from breach victims and disappear, leaving those doing the dirty work empty handed.
Researchers believe the newly emerged Cicada3301 ransomware gang may be a rebrand of ALPHV/BlackCat.
Your email address will not be published. Required fields are markedmarked