Home
Events
Topics
Discussions
Cooperation
MVPs
About Us
  • Home
  • Discussions
  • Details
    • The US medical giant disclosed privacy data of more than 100000 patients and refused to extort money. He was sued in class and faced compensation of US $65 million
    清风  2024-09-13 11:38   published in China

    An American medical giant will pay $65 million to settle the class action brought by its patients after ransomware criminals stole and disclosed their patients' privacy data including nude photos.


    Event background


    Lehigh Valley Health Network (LVHN) is one of the largest primary Health care groups in Pennsylvania. Previously, LVHN found that its IT system had been invaded and later confirmed that it was an attack by ALPHV (also known as BlackCat) hacker organizations.


    Hackers stole a large amount of privacy data of 134000 patients and employees, including names, addresses, Social Security numbers, state ID card data, medical records and surgical images. Attackers asked the hospital to pay ransom, otherwise, these private data will be published online.


    According to the lawsuits filed, the medical group often takes photos of naked cancer patients, and sometimes even may take photos without the patient's knowledge. The hospital refused to pay the ransom of BlackCat, and the attacker later released the data, which made the injured patients very angry.


    Litigation details


    the lawsuit mentioned, "although LVHN publicly publicized that he had resisted the hacker's blackmail request, they were actually ignoring the real victims." The lawsuit pointed out that LVHN did not consider the interests of patients, but put avoiding his own financial losses in the first place.


    LVHN disclosed the attack several days later, claiming that the attack range was limited. On March 4th, the ALPHV gang issued a warning on its website, threatening to publish stolen images online unless LVHN paid the ransom. The medical group refused to pay the ransom. As a result, the criminals uploaded some of the stolen materials, including photos with personal information, to the dark net.


    The lawsuit documents recorded that an undisclosed plaintiff received a phone call from the vice president of hospital compliance on March 6th, informing her that her nude photos had been uploaded to the Internet and continued the conversation with a smile, she was provided with two-year credit monitoring service. The plaintiff responded that she did not know that the hospital had taken nude photos of her during the treatment of breast cancer, nor did she know that these photos were stored on the company server.


    Although LVHN informed patients and employees about the disclosure of privacy, ALPHV continued to put pressure to disclose another 132GB of information on March 10 and threatened to disclose more materials every week, until the hospital pays the ransom.


    The plaintiff's lawyer said LVHN failed to fulfill his obligation of responsibility for information protection and his behavior was also suspected of violating the U.S. health insurance circulation and Accountability Act (HIPAA).


    Although LVHN agreed to the settlement clause, he denied any misconduct. It is worth noting that LVHN encountered similar ransomware attacks in July 2022, affecting 75628 patients. Obviously, the medical group has not taken sufficient preventive measures to prevent such incidents from happening again, which is not uncommon in the medical industry, because the industry is the main target of blackmail software attackers.


    Saltz Mongeluzzi Bendesky, the plaintiff's law firm, claimed that this settlement was "the maximum settlement amount calculated by each patient in similar cases". The affected data will be divided into four levels. The lowest level of patients will receive compensation of US $50, while the highest level (I .e., patients with nude photos exposed) you will receive compensation of US $70000 to US $80000 (after deducting attorney fees).


    It is worth noting that cases of hospital system information leakage and ransoming have occurred frequently in recent years. According to public information, it can be seen that:


    Enzo Biochem was sentenced to pay $4.5 million for the threat of ransomware caused by imperfect security measures.

    https://www.theregister.com/2024/08/14/enzo_biochem_ransomware_fine/


    attackers invaded HealthEquity's storage system and stole privacy data from 4.3 million people.

    https://www.theregister.com/2024/07/29/healthequity_says_data_breach_affects/


    blackmail software infection caused blood supply interruption in more than 250 hospitals.

    https://www.theregister.com/2024/07/29/healthequity_says_data_breach_affects/


    cancer patients were forced to make difficult decisions after the Qilin attack at London hospital.

    https://www.theregister.com/2024/07/29/healthequity_says_data_breach_affects/


    source:

    https://www.theregister.com/2024/09/12/lvhn_lawsuit_ransom/


    article reprinted from: Security guest

    Replies(
    Sort By   
    Time
    清风

    Posts

    5

    Followers

    0

    Following

    1
    Recommended
    Reply
    Reply