Health system to pay $65 million after hackers leaked nude patient photos

Source: Washington Post

Health system to pay $65 million after hackers leaked nude patient photos

The episode highlights the risk of cyberattacks and their legal aftermath for health-care organizations with especially sensitive information

By Daniel Gilbert
September 22, 2024 at 7:00 a.m. EDT

In March 2023, a Pennsylvania woman received a phone call from a health-care executive that left her in disbelief: Hackers had obtained photos of her naked body while she underwent radiation treatments and posted them to a dark corner of the internet. … Lehigh Valley Health Network refused to pay a ransom “in excess” of $5 million to recover the photos and other stolen patient information, but it couldn’t sidestep financial damages from the breach.

The unidentified woman, who is in her 50s and known as Jane Doe, became the lead plaintiff in a class action suing Lehigh for failing to safeguard highly sensitive patient information, including nude photos of hundreds of cancer patients. On Sept. 12, a law firm announced that Lehigh had agreed to pay $65 million to settle the case.

As hackers penetrate American health-care firms with alarming regularity, the episode reveals how cyberthieves are exploiting uniquely sensitive data — with devastating human and financial consequences.
Data breaches that compromise health information of hundreds of Americans happen on a near-daily basis, according to a Washington Post review of cases compiled by the U.S. Department of Health and Human Services going back to 2022. The FBI’s Internet Crime Complaint Center received more reports of ransomware attacks on health-care industry targets last year than any other of the 16 sectors it tracks.

The Lehigh Valley case also highlights the legal predicaments for health-care organizations that are increasingly targeted by hackers, leaving them vulnerable to both the cybercriminals and subsequent lawsuits brought by patients whose lives are upended by a breach.

{snip}

By Daniel Gilbert
Daniel Gilbert joined The Washington Post in 2022 and writes about the business of medicine. He previously spent seven years as an investigative reporter for the Seattle Times, and before that covered business for the Wall Street Journal. For sensitive tips, he can be reached on the Signal app: (773) 350-6933.follow on X @bydanielgilbert

Read more: https://www.washingtonpost.com/business/2024/09/22/health-system-pay-65-million-after-hackers-leaked-nude-patient-photos/