Cancer Patient Sues Hospital After Ransomware Gang Leaks Her Nude Medical Photos (theregister.com) 85
An anonymous reader quotes a report from The Register: A cancer patient whose nude medical photos and records were posted online after they were stolen by a ransomware gang, has sued her healthcare provider for allowing the "preventable" and "seriously damaging" leak. The proposed class-action lawsuit stems from a February intrusion during which malware crew BlackCat (also known as ALPHV) broke into one of the Lehigh Valley Health Network (LVHN) physician's networks, stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people, and then demanded a ransom payment to decrypt the files and prevent it from posting the health data online. The Pennsylvania health care group, one of the largest in the US state, oversees 13 hospitals, 28 health centers, and dozens of other physicians' clinics, pharmacies, rehab centers, imaging and lab services. LVHN refused to pay the ransom, and earlier this month BlackCat started leaking patient info, including images of at least two breast cancer patients, naked from the waist up.
According to the lawsuit [PDF] filed this week, here's how one of the patients, identified as "Jane Doe" found out about the data breach -- and that LVHN had stored nude images of her on its network in the first place. On March 6, LVHN VP of Compliance Mary Ann LaRock, called Doe and told her that her nude photos had been posted on the hackers' leak site. "Ms. LaRock offered plaintiff an apology, and with a chuckle, two years of credit monitoring," the court documents say. In addition to swiping the very sensitive photos, the crooks also made off with everything needed for identity fraud.
According to the lawsuit, LaRock also told Doe that her physical and email addresses, along with date of birth, social security number, health insurance provider, medical diagnosis and treatment information, and lab results were also likely stolen in the breach. "Given that LVHN is and was storing the sensitive information of plaintiff and the class, including nude photographs of plaintiff receiving sensitive cancer treatment, LVHN knew or should have known of the serious risk and harm that could occur from a data breach," the lawsuit says. It claims LVHN was negligent in its duty to safeguard patients' sensitive information, and seeks class action status for everyone whose data was exposed with monetary damages to be determined. Pennsylvania attorney Patrick Howard, who is representing Doe and the rest of the plaintiffs in the proposed class action, said he expects the number of patients affected by the breach to be in the "hundreds, if not thousands."
According to the lawsuit [PDF] filed this week, here's how one of the patients, identified as "Jane Doe" found out about the data breach -- and that LVHN had stored nude images of her on its network in the first place. On March 6, LVHN VP of Compliance Mary Ann LaRock, called Doe and told her that her nude photos had been posted on the hackers' leak site. "Ms. LaRock offered plaintiff an apology, and with a chuckle, two years of credit monitoring," the court documents say. In addition to swiping the very sensitive photos, the crooks also made off with everything needed for identity fraud.
According to the lawsuit, LaRock also told Doe that her physical and email addresses, along with date of birth, social security number, health insurance provider, medical diagnosis and treatment information, and lab results were also likely stolen in the breach. "Given that LVHN is and was storing the sensitive information of plaintiff and the class, including nude photographs of plaintiff receiving sensitive cancer treatment, LVHN knew or should have known of the serious risk and harm that could occur from a data breach," the lawsuit says. It claims LVHN was negligent in its duty to safeguard patients' sensitive information, and seeks class action status for everyone whose data was exposed with monetary damages to be determined. Pennsylvania attorney Patrick Howard, who is representing Doe and the rest of the plaintiffs in the proposed class action, said he expects the number of patients affected by the breach to be in the "hundreds, if not thousands."
I'm going to hell for saying it (Score:2)
Remember that old anti-piracy campaign?
You wouldn't download a cancer patient's nudes.
Re: (Score:2)
The IT Crowd?
"You wouldn't take a crap in the helmet of the Booby who nicked you for downloading the pics?"
Re: (Score:2, Funny)
Try again. I've already seen all the goats I wanted to see in Iran.
Maybe some stuff should simply not be on online? (Score:5, Insightful)
Re:Maybe some stuff should simply not be on online (Score:5, Insightful)
It does seem that many organizations are simply getting too casual about what information exists on networks that are accessible by the outside world.
That was basically the plot of this movie from 1995 [imdb.com]. Next story on /.'s homepage is how someone used deepfake audio technology to circumvent voice identification security. That also was from a 90s movie [imdb.com].
I guess enough time has passed that we now actually have people working in the infosec industry who are too young to have seen those movies.
Re: (Score:2)
I guess enough time has passed that we now actually have people working in the infosec industry who are too young to have seen those movies.
Or too cocky and stupid to think of them as cautionary tales.
Re:Maybe some stuff should simply not be on online (Score:5, Insightful)
That has stopped being an option. But maybe use what is actually known about secure design, implementation, configuration and operation of IT infrastructure and applications? That would make such occurrences very rare, too rare to support criminal enterprises financially, and basically impossible for amateurs to get in.
Re: (Score:2)
What the HELL do you mean, "stopped being an option"? Perhaps this suite should award major damages, and give the hospital the option to pass most of it on the any equipment vendors who required the data to be on the internet.
Re: (Score:2)
Do you have any idea how the IT of a modern hospital works? If you had, you would not claim that keeping things offline was an option. Here is a statistics from the time physical X-rays were used: Radiology personnel spent up to 30% (!) of their time searching for X-rays (no, I do not have a reference, my source is the head of a rather large radiology department). That is an extreme cost factor. There are a lot of these that kick in when you start to keep data offline. If you were to seriously suggest that
Re: (Score:2)
Do you have any idea how the IT of a modern hospital works? If you had, you would not claim that keeping things offline was an option. Here is a statistics from the time physical X-rays were used: Radiology personnel spent up to 30% (!) of their time searching for X-rays (no, I do not have a reference, my source is the head of a rather large radiology department). That is an extreme cost factor.
Ah, but there's a rather large gulf between "not electronic" and "not connected to the Internet". Medical records could easily be stored in an air-gapped computer and transferred by thumb drive for temporary use, then disposed of.
Data regarding active care (you're in the hospital, you're in the doctor's office right now, etc.) likely needs to be in a network-connected system. But in an ideal world, the second you walk out the door, that data should be copied to a thumb drive and stored on an air-gapped ar
Re: (Score:2)
That would drive up the costs by a lot.
Many hospitals rely on SHARED resources & even before COVID make remote work cool, many radiologists frequently worked from home at least some of the time.
One org I've done work for provides PACS images to 6 major hospitals through private links and perhaps 20 more hospitals & clinics by VPN tunnels
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
That would drive up the costs by a lot.
Many hospitals rely on SHARED resources & even before COVID make remote work cool, many radiologists frequently worked from home at least some of the time.
One org I've done work for provides PACS images to 6 major hospitals through private links and perhaps 20 more hospitals & clinics by VPN tunnels
https://en.wikipedia.org/wiki/... [wikipedia.org]
Indeed. Cost is a major factor here. Also another one somebody explained to me: Emergency patient comes in at night, radiologist at home gets a call a) jumps into car, needs 30 minutes drive and then can do diagnosis or b) fires up computer and reports diagnosis in 5 minutes. 25 minutes faster treatment which can be very critical. Of course, these numbers are made up. But they demonstrate the idea. They also demonstrate the load on the radiologist, that drive does not come free with regard to cost and stres
Re: (Score:3)
"Of course, these numbers are made up. But they demonstrate the idea."
Regrettably I cannot share specifics with you but I'm often involved with troubleshooting slow loading of medical images for remote radiologists & every couple weeks it's someone more than a couple hours drive from the hospital where the patient(s) are located.
So the potential patient impact is very real
Re: (Score:2)
Well, I am talking about modern infrastructure here, of course. I forgot that the US is stuck in the dark ages in that aspect. But pretty much the same idea applies if the radiologist has to walk a few minutes and can instead start to work on the immage immediately.
Re: (Score:2)
That would work great until Obama went to electronic medical records; now there is no such thing as "Air-Gapped" and "Medical Records". I know that sounded snarky, but everything has advantages and disadvantages and Obama only did something that was going to happen whether he did it or someone else.
Re: (Score:2)
Re: Maybe some stuff should simply not be on onlin (Score:2)
They didn't. Case in point, none of the sensitive information, from SSN numbers to photos, seems to have been stored in encrypted form requiring authentication via physical tokens to be decrypted.
Managers love to think, and say when pressed, that "Security has no ROI". Class actions like these, if pursued by good lawyers who manage to get the right expert testimonies, if successful, would start making that ROI extremely obvious even to the most psychopathic and narcissistic of healthcare CEOs.
Re: (Score:2)
Many of the organizations cannot afford security. The organizations weren't created yesterday, they are legacy organizations built up over a time when they didn't have to worry about security for which it was never properly budgeted. And they were (are) run by people who didn't grow up with security nightmares to sleep to. So those organizations do not have the internal personnel to handle security nor the budgets to put into security.
The miscreants are knocking them off like flies. And it doesn't help that
Re: (Score:2)
And they were (are) run by people who didn't grow up with security nightmares to sleep to.
Till their own personal information gets leaked.Their reward will be two years of credit monitoring delivered with a chuckle and an apology. Hey, if it's good enough for us, it's good enough for them.
Re:Maybe some stuff should simply not be on online (Score:4, Interesting)
If proper liability had been established for bad software then things would be quite different now.
But mostly I think this lawsuit is not helping anyone. If anything, it is motivating companies to pay off the blackmailers, which will only encourage more of the same.
Re:Maybe some stuff should simply not be on online (Score:4, Interesting)
This is a cancer patient. Chances are her doctors will have shared some data with doctors at other hospitals, maybe some cancer specialists located elsewhere. It could be done by posting a CD or flash drive with encrypted data on, but do you really want doctors inserting random CDs/flash drives into their computers?
Even if it was just her medical history, some data probably needed to be transferred. Not doing so would mean worse quality healthcare. We need to find a solution that isn't just "go back to the 1990s".
Re: (Score:1)
They are cutting back. 10 years ago my physician had access to anything done to me at the local hospital. Xrays, CT, reports, everything. If I went to a totally different practice that was associated with the hospital - same thing, and anything the previous practice had on me.
Now the doctor's office can't see my recent hospital visit and they couldn't see my doctor's records. Even my hospital records seem to only go back 5 years. They used to be all-inclusive.
Back to the dark ages I suppose.
I suspect she’s gonna (Score:4, Interesting)
That being said, seems like the hospital should have resigned itself to a payout and maybe offered 5 or 10k to the people who got their nudes leaked, rather than deal with a multi year PR nightmare as these cases run their way through court. Sure, the bean-counter said “let’s offer the cancer patient 2 years of credit monitoring”. My primary question here: why didnt the hospital CEO or the board of Trustees do their job as leaders and authorize a cool million bucks in payouts? Between the lost business due to reputational damage and the lawyers fees, they’ll spend waaayyy more fighting it out in court.
Re:I suspect she’s gonna (Score:5, Interesting)
Have to prove that the hospital was negligent?
Maybe not, there was no provision in my HIPAA training for negligence. It seems like a pretty clear HIPAA violation by the hospital, even if it wasn't intentional.
Re: (Score:3)
I believe there is lots of precedent for plaintiffs winning against negligent HIPAA violations.
Re: (Score:2)
A large part of HIPAA is calling out security violations when you see them, and addressing them as they are found.
Not finding a HIPAA violation is one thing, leaving a vulnerability, and not calling out out after it is known is absolutely a violation.
Health care organizations are required to have a chain of command for calling out HIPAA violations, specifically, a POC for any and all violations for the organization, that is then required to address any violations that are found. In addition, the U.S. De
Re: (Score:2)
That's generally how data protection works in Europe too. Even if it wasn't deliberate, even if they were the victims of a crime, they had a duty to protect that data and they didn't.
Re: (Score:2)
Not only HIPPA but sounds like there were some PCI [forbes.com], Payment card industry, compliance violations as well.
Re: (Score:2)
IIRC HIPAA is strict liability
Lest we forget, the doctrine of Res Ipsa Loquitur came about because a surgeon amputated the wrong leg and then everyone involved (nurses, hospital staff, administrators, other doctors) obfuscated the details of how it happened to the point where negligence could not be proved... except via the creation of a new judicial doctrine with a pithy Latin name.
Re: (Score:1)
> like the civil liability would fall on the ransomeware gang itself.
Depending on jurisdiction, that may not be true. The ransomware gang is guilty of the *crime*, of course; but whoever had the data and was responsible to keep it secure, might be responsible for its security, in much the same way that whoever builds a reservoir is responsible for the flooding if the reservoir wall breaks, and the plaintiff may not need to show wrongdoi
Re: (Score:1)
Encrypt. At. Rest.
preventable? (Score:3)
Re: (Score:2)
Preventable by not having the nudes accessible to the internet. Simple.
Re:preventable? (Score:5, Insightful)
I had a family member with a minor brain injury. The scans taken at the hospital were available at the doctor's office before we could drive there.
The ability to get that data from the technician to the physician instantly was very valuable to the person who wanted to know if they would recover or not... but the doctor didn't have wire running out the exam room window to the hospital to be part of an isolated LAN.
It was almost certainly a healthcare system he accessed over a VPN, using credentials to unlock data tagged with him as the patient's doctor.
It was also almost certainly NOT a foolproof security setup.
Yes, the healthcare folks should do everything reasonable to secure the data, but we should also start stabbing black hats when we catch them.
better solution (Score:4, Interesting)
encrypted memory stick, given to patient/family with password, hand carried along with the patient to doctor's office, decrypted and viewed on doc's non-internet connected system. problem solved.
I have experience hand carrying my own medical records (on DVDR) from one hospital to another. It worked fine. The time difference between the records arriving just before the patient and arriving with the patient was is likely going to affect far fewer patients in any year than all the hacking of records affects every year. There just are not that many instances where a pile of records that could take hours to read are so time-sensitive in patient treatment that a few minutes difference in arrival time will matter.
Re: (Score:1)
Re: (Score:2)
Plenty of things are dealt with by clinicians in separate cities or countries collaborating without the patient being directly involved.
The MERS virus was identified as something novel when the doctor treating an infected man in Saudi Arabia shared lab reports with a colleague in Europe & not by snail (camel?) mail
Re: (Score:2)
And when you have to drive over to the office to show the Receptionist how to insert a USB stick encrypted or otherwise into her computer?
Re: (Score:2)
There are ways to allow such use with proper security nowadays.
But it's going to be a question of cost + ease of use for the doctors.
I know of some big orgs where the laptops automatically connect to the VPN in the office automatically upon login. USB is disabled, and you can only access approved software on the laptop.
Internet access is monitored at the other end and can be limited / blocked by the main office as needed.
So a dedicated system just to connect to the relevant central data, which can't connect
Re: (Score:2)
"But at least if the records are physical, you reduce the amount of crooks who can get to them to exactly how many are will to visit the storage location in person"
That would mean restricting the options as to where someone can be treated or to have the data copied & transported - which can be insecure - or to have the tests repeated at another location which can be time-consuming & an unnecessary cost
Re: (Score:2)
"I already said "there can be exceptions""
I can tell you that in large, complex or busy environments, those "exceptions" quickly become the rule, especially when cost-cutting is the order of the day.
"Jesus H. Christ, you people are weak-minded"
Bitch, please. You don't have a clue.
Do you think your MRIs magically transport themselves into secure physical storage?
That only happens through a chain of human hands, with the real potential for mistakes, duplication & theft at every step.
And where is all this
Re: (Score:2)
You are the perfect example of a weak-minded defeatist clown.
Says the fool who thinks going back to the IT equivalent of the Stone Age is the answer.
Eat a bag of cocks.
The Amazon store is fresh out; *someone* must have had a huge order shipped OVERNIGHT.
Have a lovely weekend
Re: (Score:2)
Special Forces Death squads
Re: (Score:1)
Re:preventable? (Score:4, Insightful)
Given that 0-days are inevitable and not preventable, and defence-in-depth is not a new phenomena, and given that it's generally recognised that the health industry must adopt these strategies because the threat of cyberattacks is not exactly decreasing [healthitsecurity.com], one could reasonably argue that LVHN were negligent here.
Until it starts costing health-care providers real money (through law suits), they ain't gonna take cyber security seriously, which is a threat to everyone using the healthcare system.
Re: (Score:2)
Zero days can be reduced massively by good design, redundant security architecture and careful testing. Not 100% but 99%.
Re: (Score:2)
My point is that the claim using zero-days is bogus. That is not were the problem lies.
Good. I hope she wins. (Score:2)
The gross negligence that let these fuckers in needs to stop. Sure, if we could nuke the attackers, that would be better, but we cannot except in rare cases because we do not who they are. Hence IT security has to finally be taken seriously and this lawsuit is a good step in that direction. Eventually even Microsoft will have to stop messing up all the time in this space.
Re: (Score:2)
This may require nukes from high orbit.
Re: (Score:2)
Works for me.
Re: (Score:2)
Eventually even Microsoft will have to stop messing up all the time in this space.
And yet open-source comes with a "we can't be blamed" license as well.
Re: (Score:2)
Of course it does. Since it's allowed to, it would be foolish not to claim the exception. But Free Software shouldn't be expected to be MORE secure than "purchased" software. But it is. There are fewer exploits and they get fixed more quickly.
However, that doesn't mean that the hospital was following "best practices", or even "good practice". Encryption of sensitive data can be done even on MS systems, with the decryption keys not stored on the same system. (There's no sensible way to prevent imprope
Re: (Score:2)
Not if somebody takes responsibility for putting it in. The real difference is that QA works different for FOSS. In the end you have to pay somebody if you require somebody to take responsibility. If the product is overall a lot better (proven FOSS), you have to pay a lot less for that.
Hope that VP gets fired. (Score:2)
And the hospital is sued out of existence. We need at least one big penalty to prod the rest of the herd into doing something.
Re: (Score:2)
No they won't what the mostly likely outcome of this is they will get you to sign a waiver, and pass any extra security cost on to the patients with a huge markup.
Hospitals are not going away (I hope) and people dying of cancer will pay almost anything, and agree to anything to be treated.
What will it take ? (Score:5, Insightful)
What will it take to get these commercial organizations take security seriously.
This day and age it is not that difficult to password protect this data, or even better yet force the use of gnupg.
If a breach happens, for each person impacted, 1% of the company's revenue including revenue from all parent companies go to each person. If the company declares Chapter 11, the people impacted gets first in line. Plus all exec bonuses for the past 5 years are also divided out.
Then you can be sure these breaches will stop in a hurry.
Re: (Score:2)
Really? (Score:2)
Really? Ya gotta look at cancer patients. Like, there's not enough free porn on the Internet? That can't be good either, because cancer patient. Ohhhh, check out the sexy tumor on her! No. I'm not surprised. There are probably people that actually get off on that aspect of it. It's just... just... Ya gotta look at cancer patients? Come on. Work up some gumption and do it in real life. Maybe hang out at the hospital cafeteria. Just ask them. "Carpe diem!" That might work.
Re: (Score:2)
I think the solution to this is to simply not care that your pictures are released. There is plenty porn on the internet and your life has not significantly been impacted by it unless you convince yourself it has. Sure the court could make the hospital liable but the only real outcomes I can see of this happening are:
1. Increased costs of medical care, since the hospitals will have to pay for increased security, which they will pass on without hesitation.
2. Decreased quality of care, since doctors will not
Re: (Score:2)
Some Things.. (Score:1)
Best Outcome (Score:2)
I feel like given teh choice between paying off the hackers, and having to pay for lawsuits, paying for lawsuits is better even if it costs the company more.
If all companies just refuse to pay the malware people, the attacks will naturally diminish without many good paydays because there still is risk in the attacks.
It does suck for the people involved whose data was leaked but once hackers have it were they really going to keep it all private anyway even after you paid them off? I feel like that horse lef
Re: (Score:2)
While it would be good if companies never paid, but it will never happen because companies will do what they have to do by their very nature and that is: Pick the most cost effective option, and hackers will set a price such that option is pay them.
Make bug bounty programs mandatory (Score:1)
It's going to become cheaper to pay the hackers... (Score:2)
Sounds like victims of the hack will pay the hackers vs. potential years of legal fees + favorable judgements for those who's data was "released" to the wild. -- the ultimate victims.
Build a better mouse trap (by not paying the hackers), you get better mice (who will cost you more by releasing your information and cause your clients to sue you)
No excuse, but easy punishment (Score:3)
There's no excuse for anybody putting vital records of ANYTHING onto an internet-connected computer, just as there's no legitimate reason to put any interface to any vital infrastructure on to the net. Most of the "important" justifications people use are just excuses for laziness/convenience. Somebody does not want a person on duty at the hydroelectric dam, and does not want to send people there to check it periodically...it MUST be connected to the web!. somebody does not want to take the time or spend the money to transfer medical records by a secure means... it MUST be sent across the net! It's always the convenience of the people controlling the facility or holding the records that is considered and NEVER the people who will suffer all the harm if there's a security violation.
When technology is in the hands of idiots, deterrence is nearly always the answer. We certainly use deterrence with nukes.
All the executives of Lehigh Valley Health Network, its IT staff, and the person who called this cancer patient and chuckled about the leak, should ALL be photographed in the nude and in the least flattering poses and the photos should be posted to porn sites and copies distributed to the press. I predict this would cause an immediate security improvement at ALL medical facilities.
The most-common scam response by companies that leak data is to offer "identity theft protection". This so-called protection is always of a limited duration, is unlikely to actually do ANYTHING, is very cheap to purchase for the entity that lost a bunch of peoples' data (the protection services are happy to offer cheap coverage in the hope that after the "free" coverage ends, the victim will transition to payed coverage) and it does NOTHING about damages other than identity theft, like what this patient suffered. The problem currently is that the people deciding how to handle other people's data are not, themselves, at any risk and not generally likely to be hurt by any punishment they are likely to face; they have nothing on the line and thus improperly weigh the various factors that go into their choices of actions. This can only be changed by giving them a dog in the hunt.
Re: (Score:2)
There's no excuse for anybody putting vital records of ANYTHING onto an internet-connected computer
Yes there is. Being able to actually work effectively with your medical data is very useful for actually getting treated.
Re: (Score:3)
...The problem currently is that the people deciding how to handle other people's data are not, themselves, at any risk and not generally likely to be hurt by any punishment they are likely to face; they have nothing on the line and thus improperly weigh the various factors that go into their choices of actions. This can only be changed by giving them a dog in the hunt.
This lack of enforced personal accountability is the fundamental problem of our society, and it dates back to when corporations - keeping in mind that LVHN is a corporation - were granted personhood under the law [brennancenter.org]
Individuals employed by corporations - especially but not exclusively officers - must be held accountable in both civil and criminal courts for the crimes and negligent actions committed by those corporations. Then the kind of carelessness which leads to stories such as this one will undergo a dras
Re: (Score:2)
There's no excuse for anybody putting vital records of ANYTHING onto an internet-connected computer, just as there's no legitimate reason to put any interface to any vital infrastructure on to the net.
Well actually,
As a part of the American Recovery and Reinvestment Act, all public and private healthcare providers and other eligible professionals (EP) were required to adopt and demonstrate “meaningful use” of electronic medical records (EMR) by January 1, 2014 in order to maintain their existing Medicaid and Medicare reimbursement levels.
Internet connected computers are baked into the system.
Data is toxic - do not store it (Score:2)
Wow, her lawyer will have a field day (Score:2)
A few billion punitives will make sure that the other hospitals get the money to update their server security.
SSN’s and lack of consent (Score:2)
SSNs have not been needed for several years. I think taking nude photographs would need an extra consent. Hard to imagine this was not done.