Published on: March 9, 2023
Lehigh Valley Health Network (LVHN) recently confirmed that three images of cancer patients undergoing radiation oncology treatment and seven other documents containing patient information have been posted on the dark web. The leak follows a cyberattack that was discovered on Feb. 6 and executed by the Russian-linked ransomware gang, BlackCat.
According to LVHN’s Tuesday statement, “this unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior.” The gang had demanded a ransom, but the health network refused to pay.
Dr. Pablo Molina, the chief information security officer for Drexel University, warns against paying ransoms since it would only “facilitate future attacks on other organizations.” He notes BlackCat tends to target US hospitals because “this is where a lot of money is,” and the gang has had successful operations in the past.
The Department of Health and Human Services warned about BlackCat in January, saying that it is a new but very proficient ransomware threat to the health industry.
BlackCat ransomware, also known as ALPHV, is often used for double extortion, where attackers steal data, encrypt it, then threaten to release it to the public if the demanded ransom isn’t paid. The cybercriminal group has largely targeted US health services since it was first detected in November 2021, demanding ransoms as high as $1.5 million, of which affiliates keep 80-90% of the ransom fee.
The cyberattack on Lehigh Valley Health Network is a stark reminder of the growing threat of ransomware attacks against the healthcare sector. Patients’ personal and sensitive medical information can fall into the wrong hands, putting them at risk of identity theft and other harmful outcomes.
Experts warn that hospitals and healthcare organizations need to prioritize cybersecurity measures to prevent cyberattacks from happening in the first place. They must also have contingency plans in place to respond to such incidents to minimize the damage done in the aftermath.
Lehigh Valley Health Network (LVHN) is comprised of 13 hospital campuses plus numerous health centers, physician practices, rehabilitation locations, ExpressCARE sites, and other outpatient care locations in 10 eastern Pennsylvania counties, according to its website.