Hackers have stolen nude photos of about 600 men and women being treated for cancer at a Pennsylvania hospital, the latest in a series of rapidly growing cyberattacks on health care systems.
Ransomware attacks on hospitals, in which hackers hold confidential patient data hostage until the entity hands over a significant sum of money, are becoming more common.
In the US, attacks on the healthcare sector have increased by 128 percent in a single year, with 258 victims in 2023, compared to 113 in 2022.
The latest hospital to fall victim to ransomware was Lehigh Valley Health Network. The hospital recently settled a lawsuit filed against it for $65 million over its failure to protect highly sensitive patient data, including nude photos of patients.
The lead plaintiff in the case, identified only as Jane Doe, is a woman in her 50s. Nude photos she took during her radiation treatments have ended up on the dark web, leaving her with a mixture of anger, rage, fear and dread.
Lehigh Valley Hospital Network was the victim of a ransomware attack that exposed the personal information of 135,000 patients on the dark web
Your browser does not support iframes.
Ransomware group BlackCat claimed responsibility for the February 2023 attack, but its scope was limited. The hospital said the scale of the hack was limited to one practice in its Lehigh Valley system, a facility in Lackawanna County.
But the private data of about 134,000 patients became public, including diagnoses, medical histories and nude photos of hundreds of men and women.
Jane Doe had no idea that Lehigh Valley had nude photos of her stored on their computer system. She heard about the hack on the news and called the hospital to make sure her information was safe.
She didn’t know at the time that BlackCat had taken her photos and those of hundreds of others and posted them online. The lawsuit does not specify why nude photos of the patients were taken.
In addition to photographs, patients’ personal information, medical record numbers, treatment and diagnosis data, and health insurance information were also released.
Some also had their email addresses, bank details and citizen service numbers disclosed.
The fact that Jane Doe’s personal information will likely be used in the future for identity theft and fraud has, according to the complaint, caused her “feelings of anger, rage, fear, sleep disturbance, stress and anxiety.”
A Lehigh Valley Health spokesperson said, “The privacy of patients, physicians and staff is one of our top priorities and we continue to strengthen our defenses to prevent future incidents.”
BlackCat, or ALPHV, claims to be behind several other high-profile hacks into healthcare systems.
In February 2023, the hacking firm attacked UnitedHealth Group’s tech arm, Change Healthcare, which processes insurance claims. The cyberattack crippled hospitals and small practices across the country, as the outage left providers unable to pay patients’ bills.
In May 2024, Ascension, a major U.S. healthcare provider, was the victim of a major ransomware attack linked to the cybercrime group Black Basta. The attack was reportedly caused by a malicious file in a phishing email that an employee clicked on.
Hackers were able to access a wide range of private servers containing private and protected health information, disrupting employees’ ability to access patient records, causing delays in medical procedures, and leading to ambulance diversions.
In the US, attacks on the healthcare sector increased by 128 percent in one year, with 258 victims in 2023 versus 113 in 2022
Ransomware attacks wreak havoc on the healthcare systems they target, locking employees out of vital electronic patient records, blocking scheduling tools and disrupting medical equipment.
Key data may be unavailable, delaying diagnosis or treatment and potentially increasing in-hospital mortality during the attack by 35 to 41 percent.
Hospital data breaches are more common than ever. Ransomware attacks on hospitals doubled from 2016 to 2021. They’ve been increasing in frequency every year since 2012, according to federal surveillance.
Health data is a popular target for hackers because it contains a wealth of personal information, from medical history to Social Security and insurance details and credit card information.
According to the lawsuit against Lehigh Valley, the hospital failed to pay a $5 million ransom to recover the photos and other sensitive information.
Healthcare institutions are generally advised not to pay the ransom demanded of them, as this can lead to more attacks. It shows cybercriminals that with enough pressure, they can also get paid.
Paying the fee does not guarantee that victims will regain access to their controls, nor does it guarantee that the information will not be made public.