LVHN: Sensitive photos of almost 2,800 patients potentially stolen in data breach

David Singleton, The Times-Tribune, Scranton, Pa.
Updated ·3 min read

Apr. 12—Cybercriminals potentially stole sensitive photographs of as many as 2,760 patients during the data breach at Lehigh Valley Health Network, the company said in a court filing.

In disclosing the figure, the health care provider suggested a proposed class-action lawsuit over the breach — and the subsequent posting of patient information and nude photos to the dark web — could expose it to claims for damages in excess of $55 million under one scenario.

LVHN also revealed, apparently for the first time, the hackers responsible for the breach demanded a ransom of more than $5 million.

The new information is contained in a notice transferring the class-action suit from Lackawanna County Court, where it was filed March 13 by a Dunmore woman allegedly victimized in the data breach, to U.S. District Court.

LVHN announced in February a cybersecurity attack carried out by the Russian ransomware gang BlackCat had compromised the confidential records and "clinically appropriate" photographs of an unknown number of its patients.

The attack targeted a network supporting Delta Medix, the Lackawanna County-based medical practice LVHN acquired in 2021.

When LVHN refused to pay the ransom sought by the hackers, BlackCat began making the stolen patient images and information available for download on the dark web.

The lead plaintiff in the proposed class-action lawsuit, who is identified as Jane Doe to protect her privacy, said in the suit an LVHN official notified her March 6 that hackers had posted photos of her bare chest and face that were taken during radiation treatments.

The woman did not know LVHN took the nude photos of her or that they would be stored on the system's servers, according to the suit.

In a notice filed last Thursday to remove the class-action lawsuit from county court, LVHN said federal court is the proper venue for the case because it meets three requirements: the putative class has at least 100 members, some live outside Pennsylvania and amount in controversy exceeds $5 million.

According to the notice, LVHN's investigation of the data breach is ongoing, and the health network is still working to identify all of the patients and the "data elements" that were potentially affected during the incident.

"Thus far, LVHN has identified approximately 2,760 individuals that had clinically appropriate photographs taken during the course of their medical treatment, which were potentially stolen as a result of the security incident," the provider said.

LVHN said its investigation also showed some patients whose photos were possibly accessed by hackers are residents of other states, including New York, New Jersey, Virginia, Georgia and California.

Although the proposed class-action lawsuit does not specify the amount of damages sought, LVHN said it is clear from the allegations it will be "far more" than $5 million.

LVHN said the lawsuit indicated the cost to resolve a single identity theft-related incident is around $20,000, an amount that could be greater in this case because the information exposed included "permanent data," such as birth dates.

Based on that alone, the amount in controversy for a 2,760-member class would be $55.2 million, LVHN said.

The provider said the approximately 2,760 patients whose photos were potentially stolen would each need to seek no more than $1,812 in damages for their claims to total $5 million.

In addition, LVHN said Jane Doe is seeking injunctive relief in the form of an order compelling the health network to pay BlackCat's ransom demand, which the provider confirmed was itself in excess of $5 million.

"Accordingly, the amount-in-controversy element is easily met," LVHN said.

Philadelphia attorney Patrick Howard, who filed the lawsuit on behalf of Jane Doe and other class members, objected to the case's removal from county court in a letter filed in federal court in Scranton, arguing LVHN had not satisfied the requirements for transferring jurisdiction.

He declined further comment Wednesday.

Contact the writer: dsingleton@timesshamrock.com, 570-348-9132