Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information
Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.
The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.
LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.
According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”
The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.
“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)
Lawsuit Details
The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”
“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”
The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).
The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web.
“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.
Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:
$50 to patients whose records were hacked.
$1,000 to patients who had their information posted online.
$7,500 to patients whose non-nude photos were posted online.
$70,000 to $80,000 for patients who had their nude photos posted online.
“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”
Game Changing Data Breach
LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web.
“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.
“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”
“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”
Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.
LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.
LVHN has established a website for people seeking information about the cyberattack.
As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.
Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks
Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.
AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.
Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.
The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.
“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.
Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.
This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.
“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)
Why Do Hackers Target Healthcare?
Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.
Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”
With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.
“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”
But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.
“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.
“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.
Higgins elaborated on why healthcare is a highly targeted industry for hackers.
“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”
Steps Healthcare Organizations Should Take to Prevent Cyberattacks
Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.
“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”
To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.
Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.
Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
Recent intrusions into the hospitals’ IT systems resulted in blocked medical records including medical laboratory data
Healthcare cyberattacks continue to be a threat that bring potentially costly business consequences for clinical laboratories. Just in the past month, two hospital systems had their health information technology (HIT) systems disrupted due to security incidents. In response, the hospitals’ medical laboratories were forced to switch from digital to paper documentation and, in at least one case, the organization reportedly had difficulty accessing electronic laboratory test results.
At Tallahassee Memorial, an “IT security issue” on Feb. 2 resulted in the organization shutting down its IT systems for 13 days, including at its clinical laboratory. The hospital’s computer network went back online on Feb. 15, according to a news release.
At Atlantic General Hospital, according to an AGH news release, IT personnel discovered a ransomware attack on Jan. 29 that affected the hospital’s central computer system. As a result, the walk-in outpatient laboratory was closed until Feb. 14.
These recent cyberattacks underscore the importance for clinical laboratory leaders to have plans and procedures already in place prior to a disruption in access to critical patient data.
Healthcare cyberattacks can be a “complete blindside for a lot of organizations that think they have protections in place because they bought a product or they developed a policy,” said Ben Denkers (above), Chief Innovation Officer at CynergisTek, an Austin, Texas-based cybersecurity company, in an exclusive interview with The Dark Report. Since clinical laboratory test results make up about 80% of a patient’s medical records, disruption of a hospital’s IT network can be life threatening. (Photo copyright: The Dark Report.)
Laboratory Staff Unable to View Digital Diagnostic Results at Tallahassee Memorial
Though the exact nature of the incident at Tallahassee Memorial HealthCare has not been divulged, hospital officials did report the incident to law enforcement, which suggests a cyberattack had occurred.
Electronic laboratory test results were among the casualties of the IT difficulties at TMH. “Staff have been unable to access digital patient records and lab results because of the shutdown,” a source told CNN.
Attempts by Dark Daily to reach a medical laboratory manager for comment at TMH were unsuccessful. However, in a news release posted online shortly after the cyberattack, the health system advised staff members on dealing with the IT outages.
“Patients and families may notice the switch to paper documentation during registration, admission, or during their care, as our providers will be using paper forms, prescription pads, handwritten notes, or other similar paper methods where they may usually use an electronic process,” the news release stated. “We apologize for any delays this may create. We practice for situations like this, and we are prepared to provide safe, high-quality care to our patients during computer system downtimes.”
Atlantic General Hospital Reports Ransomware Incident to the FBI
At Atlantic General Hospital, the outpatient walk-in laboratory and outpatient imaging department both temporarily closed because of the ransomware attack.
Staff members throughout the hospital were “forced to manually check patients in and out of appointments and record all other information by hand instead of online,” Ocean City Today reported.
The hospital immediately informed the FBI of the ransomware incident and continues to work with an incident response team to determine whether criminals accessed any sensitive data. It was not clear whether the organization ultimately paid a ransom to unlock its systems.
The hospital’s medical laboratory director did not respond to an email from Dark Daily seeking further comment.
Healthcare Cyberattacks Attempt to Gain Access to Data
Therefore, it is critical that clinical laboratory and hospital staff work with their IT counterparts to verify that technology and processes are in place to protect access to patient data.
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, who at that time was Chief Innovation Officer at CynergisTek, a cybersecurity firm based in Austin, Texas, told The Dark Report, “Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations.” (If you don’t subscribe to The Dark Report, try our free trial.)
An IT network attack is an attempt by a cybercriminal to gain unauthorized access to devices that contain and exchange data within an organization. Although this information may be on individual devices or on servers, network attacks are often only possible after a hacker enters a system through an endpoint, such as an individual’s email inbox.
“It’s important to understand that while the network server itself might have ultimately been the target, that doesn’t necessarily mean that it was compromised first,” Denkers told The Dark Report. “Phishing is a perfect example of a way an attacker could first gain access to a workstation, and then from there move laterally to a server.”
The final cost of a healthcare cyberattack often exceeds the ransom. Media coverage can lead to an organization’s diminished reputation within the community, and if protected health information (PHI) is accessed by the criminals, a hospital or health system may need to pay for identity theft monitoring for affected patients.
There also are regulatory repercussions that can be costly depending on the circumstances surrounding a cyberattack. For example, on Feb. 2, the US Department of Health and Human Services’ Office for Civil Rights announced a settlement with Banner Health Affiliated Covered Entities (Banner Health), a nonprofit health system headquartered in Phoenix, to resolve a data breach resulting from a hacking incident in 2016. That incident disclosed PHI for 2.81 million patients.
As part of the settlement, Banner Health paid a $1.25 million penalty and will carry out a corrective action plan to protect PHI in the future and resolve any alleged HIPAA violations, according to the HHS Office for Civil Rights.
This hefty penalty is a reminder to pathologists and clinical laboratory managers that—when it comes to cyberattacks—the classic adage “an ounce of prevention is worth a pound of cure” is appropriate advice.
