(Image credits: CyberXRef, 2014)
Update 4/13/2023: Litigation information included with updated breach information
One-sentence summary:
A Lehigh Valley Health Network location in Lackawanna County just had a single computer breached by BlackCat, a Russian ransomware group, which potentially obtained patient photos for over 2,760 patients and leaked nude patient photos, resulting in a lawsuit.
Who was involved?
BlackCat, Lehigh Valley Health Network location, potentially 2,760 patients, and a single computer system.
What was the timeline?
February 6, 2023: Threat actor was detected on the network. “Investigation is ongoing” (WFMZ, 2023, para. 10).
February 20, 2023: Media appears to have published press statements from LVHN.
March 13, 2023: Photographed victim files lawsuit against Lehigh Valley Health Network
What occurred?
On February 6, Lehigh Valley Health Network discovered a single endpoint used in their oncology program “for patient images” with “sensitive information” was breached and initiated an investigation and incident response (WFMZ, 2023). LVHN is refusing to pay the ransom at this time. As a result, BlackCat posted the nude patient images online, which resulted in litigation by the photographed victims (Jane Doe v. Lehigh Valley Health Network, 2023). 2,760 patients and their images are reportedly at stake now due to the breach (Wfmz-Tv, 2023). BlackCat’s ransom amount has also been identified as $5 million and still has not been paid (Wfmz-Tv, 2023).
Estimated costs:
Internal and external incident response costs (WFMZ, 2023, para. 9). Breach notification costs. However, the attack “has not disrupted LVHN’s operations” (Sigafoos, 2023, para. 2). Litigation defense.
Involved laws:
Federal: HIPAA and HITECH.
FTC Act, 15 U.S.C. § 45 (Jane Doe v. Lehigh Valley Health Network, 2023 ,p. 28).
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
69 News (WFMZ). (2023, February 20). LVHN reports cyberattack by Russian ransomware gang. WFMZ.com. Retrieved February 20, 2023, from https://www.wfmz.com/news/area/lehighvalley/lvhn-reports-cyberattack-by-russian-ransomware-gang/article_6ceb11e0-b133-11ed-9bdc-7b7c0a2adf99.html
CyberXRef. (2014, March 17). File:Lehigh Valley Hospital 03.JPG. Wikimedia Commons. https://commons.wikimedia.org/wiki/File:Lehigh_Valley_Hospital_03.JPG
Jane Doe v. Lehigh Valley Health Network, Docket No. 3:23-cv-00585-RDM (Lackwan. Co. 2023). https://www.classaction.org/media/doe-v-lehigh-valley-health-network-inc.pdf
Sigafoos, S. (2023, February 20). Lehigh Valley Health Network says it was target of Russian ransomware gang BlackCat. LehighValleyNews.com. Retrieved February 20, 2023, from https://www.lehighvalleynews.com/health-news/2023-02-20/lehigh-valley-health-network-says-it-was-target-of-russian-ransomware-gang-blackcat
Wfmz-Tv. (2023, April 12). Court filing: Personal info, sensitive photos of 2,760 patients stolen during LVHN data breach. WFMZ.com. https://www.wfmz.com/news/area/lehighvalley/court-filing-personal-info-sensitive-photos-of-2-760-patients-stolen-during-lvhn-data-breach/article_f115539c-d97c-11ed-be1f-bfb6cf4c8bfd.html