Hackers stole nude photos of around 600 men and women being treated for cancer at a Pennsylvania hospital, the latest in a rapidly growing number of cyberattacks against healthcare systems.
Ransomware attacks against hospitals, in which hackers hold delicate patient information hostage until the entity hands over a considerable sum of money, are increasingly common.
In the US, attacks against the healthcare sector were up 128 percent in a single year, with 258 victims in 2023 versus 113 in 2022.
The latest hospital to fall victim to ransomware was the Lehigh Valley Health Network, which recently settled a case for $65 million levied against it for allegedly failing to safeguard highly sensitive patient information, including naked photos of patients.
The lead plaintiff in the case, referred to only as Jane Doe, is a woman in her 50s whose naked photos taken during her radiation treatments made it onto the dark web, causing her a mixture of rage, anger, anxiety, and fear.
Lehigh Valley Hospital Network fell victim to a ransomware attack that saw 135,000 patients’ private information land on the dark web
Your browser does not support iframes.
The ransomware group BlackCat claimed to be responsible for the attack in February 2023, but its reach was limited. The hospital said the extent of the hack stopped at one practice within the Lehigh Valley system, a facility in Lackawanna County.
But the private data of roughly 134,000 patients was exposed, including diagnoses, medical history and the nude photos of hundreds of men and women.
Jane Doe had no idea Lehigh Valley had stored nude photos of her on their computer system. She heard about the hack on the news and called the hospital to ensure her information was safe.
She did not know then that BlackCat had taken her photos and those of hundreds of others and posted them online. The lawsuit does not specify why nude photos were taken of the patients.
In addition to photos, patients’ personal information, medical record numbers, treatment and diagnosis information and health insurance information were released.
Some had email addresses, banking information, and social security numbers divulged as well.
The fact that this private information of Jane Doe’s will likely be used in the future for identity theft and fraud, according to the lawsuit, has caused her to experience ‘feelings of rage, anger, anxiety, sleep disruption, stress, and fear.’
A Lehigh Valley Health spokesperson said: ‘Patient, physician and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.’
BlackCat, or ALPHV, has claimed to be behind several other high-profile hacks on healthcare systems.
In February 2023, the hacking firm attacked UnitedHealth Group’s tech arm, Change Healthcare, which processes insurance claims. The cyberattack brought hospitals and small practices nationwide to a standstill as the outage meant providers could no longer settle patients’ bills.
In May 2024, Ascension, a major US healthcare provider, was subjected to a major ransomware attack linked to the Black Basta cybercrime group. The attack is believed to have been caused by a malicious file sent in a phishing email that an employee clicked.
Hackers were able to access a wide array of private servers containing private and protected health information. This disrupted workers’ ability to access patient records, caused delays in medical procedures, and diverted ambulances.
In the US, attacks against the healthcare sector were up 128 percent in a single year, with 258 victims in 2023 versus 113 in 2022
Ransomware attacks wreak havoc on the health systems they target, locking staff out of critical electronic health records systems, blocking scheduling tools, and interfering with medical devices.
Critical data may be unavailable, resulting in slower diagnosis or treatment and potentially causing a 35 to 41 percent rise in in-hospital mortality rates during the attack.
Data breaches at hospitals are more common than ever. Ransomware attacks targeting hospitals doubled from 2016 to 2021. They have become steadily more common annually since 2012, according to federal surveillance.
Health data is a prime target for hackers because it contains a treasure trove of personal information, from medical history to social security and insurance information, as well as credit card information.
According to the lawsuit against Lehigh Valley, the hospital system neglected to pay the $5million ransom to recover the photos and other sensitive information.
Healthcare entities are typically advised not to pay the ransom levied against them because it could encourage more attacks, as it shows cybercriminals they can get paid with enough pressure.
Paying the fee does not guarantee the victims will regain access to their controls, nor is there a guarantee the information will not be made public.