Sean Lyngass
CNN.com
Originally posted 23 Sept 24
A Pennsylvania health care system this month agreed to pay $65 million to victims of a February 2023 ransomware attack after hackers posted nude photos of cancer patients online, according to the victims’ lawyers.
It’s the largest settlement of its kind in terms of per-patient compensation for victims of a cyberattack, according to Saltz Mongeluzzi Bendesky, a law firm that for the plaintiffs.
The settlement, which is subject to approval by a judge, is a warning to other big US health care providers that the most sensitive patient records they hold are of enormous value to both hackers and the patients themselves, health care cyber experts told CNN. Eighty percent of the $65-million settlement is set aside for victims whose nude photos were published online.
The settlement “shifts the legal, insurance and adversarial ecosystem,” said Carter Groome, chief executive of cybersecurity firm First Health Advisory. “If you’re protecting health data as a crown jewel — as you should be — images or photos are going to need another level of compartmentalized protection.”
It’s a potentially continuous cycle where hackers increasingly seek out the most sensitive patient data to steal, and health care providers move to settle claims out of courts to avoid “ongoing reputational harm,” Groome told CNN.
According to the lawsuit, a cybercriminal gang stole nude photos of cancer patients last year from Lehigh Valley Health Network, which comprises 15 hospitals and health centers in eastern Pennsylvania. The hackers demanded a ransom payment and when Lehigh refused to pay, they leaked the photos online.
The lawsuit, filed on behalf of a Pennsylvania woman and others whose nude photos were posted online, said that Lehigh Valley Health Network needed to be held accountable “for the embarrassment and humiliation” it had caused plaintiffs.
“Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future,” Lehigh Valley Health Network said in a statement to CNN on Monday.
Here are some thoughts:
The ransomware attack on Lehigh Valley Health Network raises significant ethical and healthcare concerns. The exposure of nude photos of cancer patients is a profound breach of trust and privacy, causing significant emotional distress and psychological harm. Healthcare providers have a duty of care to protect patient data and must be held accountable for their failure to do so. The decision to pay a ransom is ethically complex, as it can incentivize further attacks and potentially jeopardize patient safety. The frequency and severity of ransomware attacks highlight the urgent need for stronger cybersecurity measures in the healthcare sector. By addressing these ethical and practical considerations, healthcare organizations can better safeguard patient information and ensure the delivery of high-quality care.