When healthcare meets ransomware: it’s personal (literally)
In a plot straight out of a dark comedy, Lehigh Valley Health Network (LVHN) recently founditself facing an attack of both the digital and emotional kind. We often forget that even though aCyber Security attack feels technical it has a real world impact on those around us.In February 2023, this Pennsylvania-based healthcare system was held hostage, not justfinancially, but with the dignity of its patients at stake. BlackCat, a Russia-based ransomwaregroup with a taste for drama, accessed clinical images of breast cancer patients and demandeda $5 million ransom.When LVHN refused, BlackCat decided to share the photos with the world, yes you read thatright…Now, LVHN is shelling out $65 million to the victims in what has become one of the mostscandalous data breaches in healthcare.
Anatomy of a Cyber Attack
Let’s break down what happened, layer by layer. BlackCat managed to breach the networkthrough a physician practice affiliated with LVHN. Accessing sensitive information of nearly135,000 patients, including treatment photos of oncology patients, they stole data spanning asizable 132 gigabytes. And in a move that would make even the most hardened criminal blush,BlackCat released clinically sensitive photos of breast cancer patients. If you’re imagining agroup of hackers with no moral compass cackling at their screens, well, you’re not far off.According to KFOR, the leak included screenshots of medical records, personal information,and sensitive patient data. In a cruel twist, BlackCat demanded that LVHN cough up $5 million.LVHN didn’t pay, prompting BlackCat to upload the stolen data to their leak site on the darkweb. They weren’t bluffing, either—these hackers exposed patient diagnoses, medical records,and photos of patients in vulnerable states.As one of the victims filed a lawsuit against LVHN, the fallout only intensified. The lawsuitalleged that the healthcare network prioritised “financial considerations” over the well-being ofits patients. The suit, which aims for class-action status, accuses LVHN of negligence in failingto protect patient information.
What Does $65 Million Buy You?
While LVHN might have dodged the $5 million ransom, they now face a $65 million settlement,pending judicial approval. With compensation ranging from $50 to $70,000, the payout willaddress the emotional and reputational damage suffered by the victims. Those whose photoswere released stand to receive 80% of the total settlement amount.But what does this mean for LVHN? Well, aside from a significant financial loss, the healthsystem’s reputation has taken a massive hit. Carter Groome, CEO of First Health Advisory,highlighted that this incident signals a need for a major shift in how healthcare data is protected.He argued that healthcare providers should consider clinical images, like those exposed here,as “crown jewels” requiring stringent compartmentalised protection.In an era where healthcare systems are constantly targeted by cybercriminals, the LVHNincident underlines a harsh reality: data security must be treated as a priority, not anafterthought.
Healthcare Hacks: A Rising Threat
LVHN’s experience isn’t unique. The FBI recently reported a 128% increase in cyber attacks onthe healthcare sector from 2022 to 2023, with a whopping 258 attacks in the last year alone.What’s fueling this trend? Quite simply, the healthcare industry houses a wealth of sensitivedata—and attackers know it.From ransomware attacks on hospitals to data breaches exposing personal information,healthcare institutions have become gold mines for hackers. And the financial impact can bemonumental: not only are institutions hit with demands for ransoms, but the costs of legal fees,fines, and reputation management quickly pile up.BlackCat, the group behind the LVHN attack, has gained a reputation for high-profile hacks. Thegroup also targeted Change Healthcare earlier this year, affecting thousands of small practicesand major hospitals across the U.S. As more healthcare institutions refuse to pay, attackershave doubled down, becoming more audacious in their threats and increasingly desperate tocapitalize on their ill-gotten data.
Should Hospitals Pay the Ransom?
The FBI maintains that paying a ransom only encourages further attacks. And while refusing topay may seem like the moral high ground, the decision isn’t always that simple. In LVHN’s case,the healthcare provider refused to give in to BlackCat’s demand, ultimately leading to therelease of highly sensitive information.Cybersecurity experts, like us at Core to Cloud, warn that as more organisations declineransom demands, attackers may seek other ways to apply pressure. For healthcare systems,that could mean not just losing financial information, but exposing the deeply personalexperiences of patients as seen within this attack.
Where Do We Go From Here?
The LVHN incident brings us to an uncomfortable reality: healthcare providers need to rethinktheir cybersecurity strategies. The release of patient images isn’t just a privacy violation; it’s anassault on the trust that patients place in their healthcare providers.As we navigate an era where cybercriminals become more ruthless, institutions must step uptheir game. The age-old notion that data is valuable has taken on a new, deeply personalmeaning. Healthcare organisations now face a stark choice: invest heavily in robustcybersecurity measures or risk exposing their patients in the most literal sense.For now, we’re left to watch as LVHN navigates the fallout of this unprecedented breach. And asmore patients demand accountability, perhaps the healthcare industry will finally heed the wake-up call. Let’s hope that the next time you’re asked to strip down for a clinical procedure, you cantrust that your dignity—and your data—are fully protected.
A Bare Necessity
This breach didn’t just expose patient data—it stripped bare the inadequacies in healthcare’scybersecurity approach. If there’s one takeaway, it’s this: as patients, we deserve a healthcaresystem that values not just our health, but our privacy and trust. And as providers, healthcareorganisations have a duty to protect the whole patient—including the parts of us that can’t betreated with a prescription.Let’s hope LVHN’s experience leads to a renewed focus on privacy and security. Because asthe saying goes, an ounce of prevention is worth a pound of cure—and in this case, a pound ofransomware defence might just be worth $65 million.
The One-Stop Shop for Cyber Professionals: Your Cybersecurity Sidekick
Are you a CISO or an IT team feeling the pressure to safeguard sensitive data, especially incritical fields like healthcare? You’re not alone, and you certainly don’t have to face thesethreats by yourself. Now more than ever, the healthcare sector needs robust cybersecuritymeasures to detect, defend, and respond to ever-evolving cyber threats.We’re here to help you plot a course through the dark waters of cyber risks, keeping yourorganisation and patient data secure. With our solutions, you can replace uncertainty withconfidence, knowing your defences are up to date and ready to combat even the mostsophisticated attacks.As healthcare remains an attractive target for cybercriminals, it’s time to turn the tide withproactive and resilient defences. To get you started on this path, we’re offering a free securitytest audit. It’s your first step toward a safer, more secure future—because peace of mind ispriceless.