Hackers stole nude photographs of about 600 men and women receiving cancer treatment at a Pennsylvania hospital, the latest in a rapidly growing number of cyberattacks on health systems.
Ransomware attacks against hospitals, in which hackers hold sensitive patient information hostage until the institution hands over a substantial sum of money, are becoming increasingly common.
In the United States, attacks against the healthcare sector increased by 128 percent in a single year, with 258 victims in 2023 compared to 113 in 2022.
The latest hospital to fall victim to ransomware was Lehigh Valley Health Network, which recently settled a $65 million case against it for allegedly failing to protect highly sensitive patient information, including nude photos of patients.
The lead plaintiff in the case, referred to only as Jane Doe, is a woman in her 50s whose nude photos taken during her radiation treatments found their way onto the dark web, causing her to feel a mix of rage, anger, anxiety and fear.
Lehigh Valley hospital network hit by ransomware attack, resulting in 135,000 patients’ private information being exposed to the dark web
Your browser does not support iframes.
The BlackCat ransomware group claimed responsibility for the attack in February 2023, but its scope was limited. The hospital said the scope of the attack stopped at one office within the Lehigh Valley system, a facility in Lackawanna County.
But private data on around 134,000 patients was exposed, including diagnoses, medical histories and photographs of hundreds of naked men and women.
Jane Doe had no idea that Lehigh Valley had stored nude photos of her on its computer system. She heard about the hack on the news and called the hospital to make sure her information was safe.
At the time, she was unaware that BlackCat had taken her photos and those of hundreds of others and posted them online. The lawsuit does not specify why the nude photos of the patients were taken.
In addition to the photographs, patients’ personal data, medical record numbers, information about treatments and diagnoses, and health insurance information were published.
Some also had email addresses, banking information and Social Security numbers disclosed.
The fact that Jane Doe’s private information will likely be used in the future for identity theft and fraud, according to the lawsuit, has caused her to experience “feelings of rage, anger, anxiety, sleep disturbance, stress and fear.”
A Lehigh Valley Health spokesperson said: “The privacy of patients, physicians and staff is among our top priorities and we continue to enhance our defenses to prevent incidents in the future.”
BlackCat, or ALPHV, has claimed to be behind several other high-profile attacks on healthcare systems.
In February 2023, the hacking firm attacked UnitedHealth Group’s technology division, Change Healthcare, which processes insurance claims. The cyberattack crippled hospitals and small practices across the country as the service disruption prevented providers from being able to pay patients’ bills.
In May 2024, Ascension, a major US healthcare provider, fell victim to a major ransomware attack linked to the Black Basta cybercrime group. The attack is believed to have been caused by a malicious file sent in a phishing email that was clicked on by an employee.
Hackers were able to access a wide range of private servers containing private and protected healthcare information. This disrupted workers’ ability to access patient records, caused delays in medical procedures, and diverted ambulances.
In the United States, attacks against the healthcare sector increased by 128 percent in a single year, with 258 victims in 2023 compared to 113 in 2022.
Ransomware attacks wreak havoc on the healthcare systems they target, preventing staff from accessing critical electronic medical record systems, blocking programming tools, and interfering with medical devices.
Critical data may not be available, resulting in slower diagnosis or treatment and potentially causing a 35 to 41 percent increase in hospital mortality rates during the attack.
Data breaches at hospitals are more common than ever. Ransomware attacks targeting hospitals doubled between 2016 and 2021. They have become increasingly common since 2012, according to federal surveillance.
Health data is a prime target for hackers because it contains a treasure trove of personal information, from medical history to Social Security and insurance information, as well as credit card information.
According to the lawsuit against Lehigh Valley, the hospital system failed to pay the $5 million ransom to recover the photos and other confidential information.
Healthcare organizations are generally advised not to pay the ransom imposed on them because this could encourage further attacks, as it shows cybercriminals that they can extract payment with enough pressure.
Paying the fee does not guarantee that victims will regain access to their controls, nor is there a guarantee that the information will not be made public.
