A Pennsylvania healthcare system will pay $65 million to settle a class action lawsuit over a data breach that affected 134,000 patients and employees. In 2023, a ransomware attack from the BlackCat ransomware group hit Lehigh Valley Health Network (LVHN or Lehigh). The group stole exam photos of breast cancer patients and posted them on a data leak site on the dark web.

Leaked Nude Photos

Personal photos are perhaps the most sensitive health data held by providers. The ransomware attackers were able to obtain not only medical information but also nude photos of cancer patients from examination records.

According to the proposed settlement agreement, the lead plaintiff in the class action lawsuit, identified as ‘Jane Doe,’ will receive $125,000, while the others will be paid varying amounts on a 4-tier system. Lehigh will pay $50 to each individual whose medical records were accessed in the cyberattack, $1,000 to individuals whose information was posted on the internet, $7,500 to any patient who had “non-nude” photos posted on the dark web, and $70,000 to $80,000 to other patients who had “nude photos” posted on the dark web.

The plaintiffs’ lawyers will receive $21.5 million, or one-third of the proposed settlement amount.

Plastic Surgery Practices Targeted

Sensitive patient data like photos are highly valuable to criminals who expect to be paid top dollar to prevent their disclosure. Last year, several California plastic surgery practices were hit with ransomware demands and made the news. This led the American Board of Plastic Surgery to warn its members about ransomware attacks aimed at plastic surgeons.

BlackCat Ransomware Group

In February 2023, the Russian ransomware group BlackCat attacked Pennsylvania-based Delta Medix Group, a physician practice that is part of the Lehigh Valley Health Network.

At the time, LVHN said the incident had not disrupted its systems.

The lawsuit was filed in March 2023.

In a statement to Information Security Media Group, LVHN said it had not paid the ransom but was working to improve its cybersecurity defenses.

Cyber Experts’ Advice About BlackCat

The Cybersecurity and Infrastructure Security Agency (CISA), HHS, and the FBI have been aware of the BlackCat group for years. BlackCat claimed responsibility earlier this year for the Change Healthcare attack, the largest healthcare data breach in history. It’s also responsible for the NextGen EHR attack in 2023; some believe it had a hand in the 2021 ransomware attack on the Colonial Pipeline.

CISA’s most recent security Alert about BlackCat was published in February 2024. A year earlier, CISA and HHS published the Royal and BlackCat Ransomware Threat Brief.

The Alert lists four key mitigation steps for cyber defense against ransomware attacks:

1. Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
2. Prioritize remediation of known exploited vulnerabilities.
3. Enable and enforce multifactor authentication with strong passwords.
4. Close unused ports and remove applications not deemed necessary for day-to-day operations.

The HIPAA Security Rule Protects Patient Privacy

Use the mitigation steps, but ensure your fundamental HIPAA compliance is strong before implementing them. The HIPAA Security Rule is a blueprint for preventing cyber attacks.

Covered entities like LVHN and business associates like Change Healthcare or NextGen must follow the Security Rule. This means conducting a Risk Analysis at least once a year and following a Risk Management plan year-round.

Site-specific Risk Analysis is Essential

Too often, large healthcare organizations with multiple locations are vulnerable because they lack the resources to conduct enterprise-wide risk analyses, which are required for effective risk management. Evaluating the risks at the corporate office is not enough because data is maintained and transmitted throughout the organization. Each site carries unique risks, which can only be mitigated if measured and understood.

Risk Analysis is a HIPAA Enforcement Priority in 2024

If Risk Analysis is not your top priority, now is the time to re-set priorities.

The HIPAA Risk Analysis is a top enforcement priority for the Office for Civil Rights (OCR), which enforces HIPAA. In recent years, the skyrocketing number of health data breaches and OCR’s findings during HIPAA investigations have led regulators to look more closely at healthcare organizations’ compliance with the Security Rule and the Risk Analysis.

Stay Current with The HIPAA E-Tool^®

We stay up-to-date with HIPAA and keep you informed because we know you’re busy! Call us if you want common-sense help to boost your compliance and stay ahead of cyber criminals and HIPAA audits.