The perpetrators of ransomware attacks are pretty low with their moral standing, but a recent attack by the BlackCat gang shows that they can sink to some very low depths.
In the blog I posted yesterday, I highlighted a ransomware gang called ALPHAV, who also go by the names BlackCat, AlphaVM, ALPHV-ng, and Noberus. This attack is attributed to the gang under their BlackCat identity.
In February 2023, the gang infiltrated the IT infrastructure of Lehigh Valley Health Network (LVHN)- a private health care organisation operating in various locations in Pennsylvania, USA.
The company manages 13 hospital campuses, 28 health centres, 20 expressCARE locations, and numerous clinical support centres (pharmacies, laboratories, rehabilitation centres, imagery support, etc.)
In the attack, the gang stole a wealth of data including sensitive patient records, and issued their ransom demand. It is unknown what the value of the ransom was, but in the past, BlackCat have demanded ransoms as high as USD $1.5 million.
Officials at LVHN refused to pay the ransom, which ultimately led to the attackers releasing their stolen data on the dark web.
It’s here where the story turns very ugly.
In the leaked data were a number of highly sensitive images of patients who were undergoing treatment for cancer, including “clinically appropriate photographs of cancer patients receiving radiation oncology treatment “
It’s one thing to steal data from any company, let alone a healthcare organisation, but its another thing entirely to release highly sensitive and personal images of patients with any illness, but those suffering with cancer – that’s a whole new low.
Lawsuits
After the data breach, a victim who’s photographs were among the files leaked has started a class-action legal process against LVHN, in order to seek damages.
The lawsuit states :“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and internationally ignoring the real victims: Plaintiff and her Class”
The filing claims that LVHN was negligent in its protection of sensitive information.