Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information
Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.
The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.
LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.
According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”
The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.
“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)
Lawsuit Details
The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”
“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”
The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).
The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web.
“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.
Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:
$50 to patients whose records were hacked.
$1,000 to patients who had their information posted online.
$7,500 to patients whose non-nude photos were posted online.
$70,000 to $80,000 for patients who had their nude photos posted online.
“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”
Game Changing Data Breach
LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web.
“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.
“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”
“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”
Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.
LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.
LVHN has established a website for people seeking information about the cyberattack.
As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.
Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
