Lehigh Valley Health Network and Maternal & Family Health Services Face Lawsuit Over Ransomware Attack

Lehigh Valley Health Network (LVHN) is facing a lawsuit om association with its latest BlackCat ransomware attack. The attack resulted in the encryption of files after exfiltrating data as is common in ransomware attacks; nevertheless, the attack was distinct because of the aggressive step of the ransomware group to exert more pressure on LVHN to give the ransom payment. The group published naked pictures of breast cancer patients on its data leak website, together with passports, medical questionnaires, and other sensitive patient information including Social Security numbers, driver’s license numbers, medical diagnosis/treatment details, and laboratory data.

LVHN stood firm and did not pay the ransom. The Federal Bureau of Investigation (FBI) does not encourage paying ransoms because payment promotes more attacks. There’s no assurance that payment will end the extortion, nor does it ensure that stolen information will be erased. The lawsuit states that LVHN prioritized cash over patient privacy by not giving payment.

The lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania for the plaintiff Jane Doe and likewise situated persons. Based on the lawsuit, cancer patients getting treated at LVHN had been photographed naked, usually unknown to the patients, and the nude pictures were then saved on LVHN’s system. LVHN stated the pictures were medically proper. The lawsuit claims the BlackCat ransomware group demanded a ransom and threatened LVHN that it would begin posting the photos on its data leak website in case it doesn’t receive the ransom payment. When the ransom was not paid, the gang did what it threatened to do. BlackCat has additionally threatened to post more data every week in case its ransom demand is still declined.

LVHN had to act while considering the impact on its patients in case those photos were posted online. The plaintiff’s lawyers said LVHN made a willful decision to let the hackers post the naked photos online rather than do something to protect their patients’ welfare, LVHN took care of its financial problems first. The legal action holds LVHN responsible for the disgrace and mortification that the incident has caused the plaintiff and class members.

Besides the shame and mortification brought on by the posting of nude pictures, the plaintiff and class members’ sensitive data were stolen and posted on the internet. The theft and exposure of information have placed the plaintiff and class members in danger of identity theft and fraud. As a result, they had to spend a lot to cover the cost of pricey and labor-intensive efforts to offset the danger of fraud.

The lawsuit claims LVHN knew or must have known about the predictable and devastating effects of healthcare ransomware attacks and data security breaches. There were several alerts released by the Federal Trade Commission, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA). Still, LVHN didn’t put in place proper and reasonable procedures to safeguard against ransomware attacks. The lawsuit states that these nine HIPAA provisions had been violated by LVHN: negligence, negligence per se, breach of implied contract, breach of fiduciary duty, breach of confidence, and publicity given to personal life.

The lawsuit wants a jury trial, class action status, and remedies such as damages, repayment of out-of-pocket- expenses, and fair and injunctive relief, which include changes to LVHN’s data security systems, yearly security audits, and the identity theft protection services provided to the plaintiff and class members.

Patrick Howard and Simon VB. Harris of Saltz, Mongeluzzi, & Bendesky, P.C. law firm filed the lawsuit.

Maternal & Family Health Services Faces Lawsuit Due to Ransomware Attack and Data Breach

Maternal & Family Health Services (MFHS) based in Wilkes-Barre, Pennsylvania is facing a lawsuit, which claims the healthcare company didn’t protect patient information and didn’t issue prompt breach notifications.

Last January 2023, MFHS, one of Pennsylvania’s biggest healthcare companies, informed roughly 461,000 present and past patients regarding a security breach. Based on the notifications, unauthorized persons acquired access to its system and utilized ransomware for file encryption. MFHS stated it identified the advanced ransomware attack in April 2022. The forensic investigation affirmed the attackers got access to its system from August 2021 to April 2022. During that period of time, the attackers potentially stole patient information including names, addresses, birth dates, driver’s license numbers, Social Security numbers, financial account/payment card details, medical data, and medical insurance data. When issuing notices, there was no patient data misuse detected; nevertheless, as a safety measure, the affected patients received free credit monitoring and identity theft protection services.

On March 3, 2023, in the U.S. District Court for the Middle District of Pennsylvania, a lawsuit alleging breach of confidence, negligence, breach of contract, breach of implied contract, and breach of fiduciary duty had been filed. Based on the lawsuit, MFHS failed to apply reasonable and proper safety measures to secure patient privacy, then was unable to issue prompt notifications when the breach was identified.

The lead plaintiff of the lawsuit is Chris Izquierdo of Scranton, PA. Izquierdo, a previous MFHS patient, was informed regarding the data breach in January 2023 and claims the theft of his protected health information (PHI) in the attack and its misuse. After the breach, no less than five credit card accounts were registered under his name in Florida, and there had been charges applied to those accounts. Izquierdo is told that he needs to pay the interest on those cards. The lawsuit likewise claims a 9-month delay in notifications, which were sent almost 9 months after the discovery of the breach. Under the HIPAA Breach Notification rule, notifications must be issued within 60 days of discovering a data breach.

The lawsuit wants damages, and injunctive relief demanding MFHS to carry out comprehensive cybersecurity procedures to better safeguard patient information, and attorneys’ fees and legal charges. The plaintiff’s representative is Gazda Penetar PC and Morgan & Morgan.