$65M settlement for patient photo scandal: What we can learn

One of the largest healthcare providers in Pennsylvania, Lehigh Valley Health Network (LVHN), found itself at the center of a data breach that would ultimately cost the organization $65 million in a class-action lawsuit settlement.

What happened

On February 6, 2023, LVHN discovered that its systems had been infiltrated by ALPHV, also known as the BlackCat gang, a prolific ransomware group. The cybercriminals had managed to steal gigabytes of sensitive data belonging to 134,000 patients and staff members, including names, addresses, Social Security numbers, state IDs, medical records, and even graphic surgical images.

The hackers had also gained access to a database of nude photographs of cancer patients – some of which were taken without the patient's knowledge or consent. When LVHN refused to pay the ransom demanded by the cybercriminals to prevent the release of this sensitive material, the criminals followed through on their threat, posting the stolen images online for the world to see.

What was said

The class-action lawsuit filed against LVHN paints a damning picture of the hospital's actions or lack thereof. The plaintiffs allege that the medical group routinely took photographs of naked cancer patients, often without their knowledge or consent, and then stored these sensitive images on corporate servers – a clear breach of patient trust and privacy.

Furthermore, the lawsuit claims that LVHN prioritized its financial considerations over the well-being of its patients, stating that "rather than act in their patient's best interest, LVHN put its own financial considerations first." The hospital's response to the breach, which included offering two years of credit monitoring services to the affected individuals, was also heavily criticized as being inadequate and insensitive.

Lessons learned

• Patient data needs better safeguarding: The LVHN breach shows how much is at stake when sensitive patient information isn’t properly secured. It’s not just about legal consequences – it’s a direct violation of patient trust that can lead to serious harm.
• Consent should always be clear: Capturing photos of patients without their full understanding or agreement is a major issue. This case makes it clear that healthcare providers must have firm guidelines for getting patient consent, especially when dealing with personal images.
• Waiting until after a breach is too late: The $65 million settlement shows the price of not being prepared for a cyberattack. Acting after the fact is a costly approach; strong security measures need to be in place long before a breach occurs.

Recommendations

• Enhance cybersecurity practices: Healthcare organizations should step up their efforts with encryption, multi-factor authentication, and ongoing cybersecurity training for staff. Keeping patient data safe means staying ahead of threats and regularly updating security systems.
• Communicate clearly with patients: Patients need to know exactly how their data, including images, will be handled. Clear communication and proper consent should be a standard practice, ensuring patients feel confident about how their information is managed.
• Be ready with a solid response plan: When a breach happens, quick and thoughtful action is necessary. Healthcare providers should have a plan that includes notifying affected patients right away and offering meaningful assistance, like credit monitoring or support services, to those affected.
• Perform routine security checks: Regular security audits and reviews of practices help catch potential problems early. Staying on top of security standards and regulations ensures that patient data is better protected.
• Get help from professionals during a crisis: Facing a ransomware attack requires expert guidance. Working with law enforcement and cybersecurity specialists can help remedy the situation and minimize damage, especially when deciding how to handle ransom demands.

FAQs

What is a data breach?

A data breach is when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.

Can legal action result from a data breach?

Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data. 

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.