Attorneys in LVHN data breach lawsuit battle over protection of data downloaded from dark web

Terrie Morgan-Besecker, The Times-Tribune, Scranton, Pa.
·3 min read

Jul. 29—Attorneys for Lehigh Valley Health Network allege lawyers suing the provider over a cyberattack that exposed patients' personal information to the dark web improperly downloaded the data from a website run by the hackers.

In a court motion, attorney Phyillis Sumner, of Atlanta, alleges attorneys who filed a class-action lawsuit obtained the stolen data in an attempt to gain a strategic advantage in the case. She asks a judge to issue a protective order that would limit who can see the information.

Patrick Howard, of Philadelphia, one of the attorneys for the plaintiffs, acknowledged they obtained the information. He vehemently denies the action was improper, noting LVHN also downloaded the data.

"It's a totally frivolous allegation and likely unethical to lob at counsel who are upstanding members of the bar," Howard said in an email.

Attempts to reach Sumner for comment were unsuccessful.

The motion is the latest filing in a lawsuit relating to a cyberattack by the Russian ransomware group BlackCat that targeted the Lackawanna County-based Delta Medix Group, which is part of LVHN's network. LVHN reported in February that hackers posted sensitive photos and information on the dark web after the organization refused to pay the ransom the hackers demanded.

The lawsuit seeks damages for the lead plaintiff, identified as Jane Doe to protect her privacy, and all other patients impacted by the breach. The suit was initially filed in March in Lackawanna County Court, but LVHN transferred the case to federal court. A federal judge recently returned the case to county court.

In her motion, Sumner criticizes the plaintiffs' attorneys for downloading the data, alleging they are "furthering BlackCat's goal in stealing the data." She says she asked the attorneys to destroy or return the data, but they refused.

The motion seeks a protective order that would classify the information as "highly confidential," which means it could be shared only with a limited number of people, including attorneys, experts and the court.

"Plaintiff's position is that they have the right to publicly disseminate any information stolen ... simply because her counsel took the extraordinary step of actually acquiring that information from the Russian cyber-criminal organization," Sumner says in the motion.

In a reply, Howard said LVHN is misstating their position. He said the attorneys agreed to keep the information confidential, but they oppose LVHN's request because it is overly broad and would forbid them from sharing information with the affected parties.

"LVHN's counsel is knowingly asserting misleading and false statements to the court," Howard said in court papers. "To be clear, plaintiffs have no intent, now or ever, of publicly disseminating any of the downloaded data."

Sumner also filed a separate motion that seeks dismissal of the case, arguing in part that the plaintiffs have failed to identify specific shortcomings in LVHN's security network that led to the breach.

Howard will have an opportunity to respond to that motion. A county judge will review that motion and the motion seeking a protective order and rule at a later date.

Contact the writer:

tbesecker@timesshamrock.com; 570-348-9137;

@tmbeseckerTT on Twitter.