Proposed class action lawsuit filed over Lehigh Valley Health Network data breach

Terrie Morgan-Besecker, The Times-Tribune, Scranton, Pa.
·3 min read

Mar. 14—The Lehigh Valley Health Network knew that hospital systems nationwide are prone to cybercriminal attacks, but it still failed to take sufficient measures to protect its patients' information, according to a proposed class action lawsuit.

The lawsuit appears to be the first to seek damages on behalf of patients impacted by a data breach at LVHN's Lackawanna County-based Delta Medix locations, which resulted in their private information and nude photos being posted on the dark web.

LVHN first reported on Feb. 20 that the Russian ransomware gang BlackCat posted three photos and seven documents after the health care provider refused to pay the ransom the hackers demanded. On March 10, LVHN acknowledged the group posted an undisclosed number of additional photos and expects BlackCat will continue to do so.

The suit, filed in Lackawanna County Court by Philadelphia attorney Patrick Howard, blasts the health system for refusing to pay the ransom.

"While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims," Howard says in the suit. "Rather than act in their patients' best interest, LVHN put its own financial considerations first."

Brian Downs, spokesman for the hospital system, declined to comment on the suit.

According to the lawsuit, the lead plaintiff, a Dunmore woman, did not know the nude photos were taken or that they would be stored on the health system's servers.

The woman, who is identified as Jane Doe to protect her privacy, contacted her physician on Feb. 28 after learning of the data breach through the news media to inquire if her information was compromised.

LVHN's president of compliance, Mary Ann LaRock, contacted her on March 6 to confirm images of her nude chest and face taken during radiation treatments were posted. LaRock apologized and offered the woman two years of credit monitoring.

In addition to humiliation and embarrassment, the woman and the other victims also face potential financial harm should the hackers use their private information to steal their identities, the suit says.

The suit faults the health system for failing to take adequate measures to protect against the hackers, particularly given the surge in cyber attacks nationwide, which it says increased by 70% between 2020 and 2021.

Health care providers are a primary target because they sit on a "gold mine" of sensitive information, including social security numbers, credit card numbers and private health information, the suit says.

"As a healthcare provider with several thousands of current and former patients, if not more, LVHN knew or should have known the importance of protecting the sensitive information entrusted to it," the suit says.

The suit seeks damages on five counts, including negligence and breach of contract and privacy for the lead plaintiff and others who have been impacted. The number of victims is not known yet.

Contact the writer: tbesecker@timesshamrock.com; 570-348-9137; @tmbeseckerTT on Twitter.