What you need to know about LVHN hack
Patient info, photos on dark web after ransomware attack
The recent ransomware attack on Lehigh Valley Health Network has led to patient information and photos being posted online and a class-action lawsuit against the network.
The February attack by ransomware operator BlackCat was made on the network of a single physician practice in Lackawanna
County but resulted in a massive amount of patient data getting leaked.
LVHN has made clear it is not going to pay the ransom even after hackers leaked patient photos to the dark web. However, in the class-action lawsuit filed Monday by Saltz Mongeluzzi & Bendesky on behalf of patients whose photos were posted online, the plaintiffs accuse LVHN of putting profits over patients and failing to do what was necessary to stop the hack from occurring.
Here is what you need to know about the hack, the data that was leaked and what to do if you’re a victim:
What data was leaked?
About 132 gigabytes of patient data and photos were leaked as part of the hack. Ransomware hackers have been known to encrypt data they steal, preventing the victims of the hack from accessing it or essential systems until the ransom is paid, but that does not appear to have happened in this case.
A spokesperson for LVHN said they could not share exact details about what data was leaked. However, the network is working with cybersecurity firms and experts to analyze the scope of the data and analyze the content involved.
But the class-action lawsuit filed by a patient referred to as Jane Doe states that, besides photos, she was told by a network representative that her address, email address, date of birth, Social Security number, health insurance provider, medical diagnosis
and treatment information, medications and lab results were also possibly part of the leak.
What is going to happen to the data?
The leak has already resulted in photos of patients getting leaked to sites on the dark web in retaliation for LVHN’s not paying the ransom. More photos or information may be leaked.
Nicklaus Giacobe, information science and technology professor at Penn State University, said ransomware hackers ultimately are out to make money off the data they steal. These types of actors may not use the data they obtain for themselves, but there are plenty of illicit uses for information such as names, addresses, phone numbers, birth dates and Social Security numbers — and plenty of individuals willing to pay for it.
He said in the modern economy, where many people don’t show up for work in person, this information can even be used to apply for jobs.
The class-action lawsuit homes in on the value of personal medical information to hackers as well, specifically how inflexible the information contained within a medical record is. Medical records can be used for a variety of illicit activities, such as illegally obtaining prescription medications, filing false medical claims or stealing the patient’s identity to open credit cards and fraudulent loans, according to an article published by Fierce Healthcare.
What can I do if my data was part of the leak?
There is nothing patients can do to stop the BlackCat hackers from posting their photos or information online or from selling it to other people who will use it for identity theft or other purposes, Giacobe said.
While the steps patients can take to protect themselves from the data leak are limited, Giacobe said anyone who thinks their information was compromised because of the hack should contact the three credit reporting agencies, Equifax, Experian and TransUnion, as soon as possible.
“If I were to advise someone who contacted me and said, ‘Hey, I think my data might have been in this breach. What should I do?’ Well, one of the first things I would advise them to do is to go examine their credit history at all three credit bureaus and probably freeze their credit at all three credit bureaus,” Giacobe said. “The credit freeze is one of the only tools that we have, in terms of identity theft, to prevent further action.”
But Giacobe said there aren’t any clearinghouses that manage health information the way credit bureaus do financial information, and victims have few options beyond possible legal action.
Why isn’t LVHN paying the ransom?
The federal government has taken a firm stance that victims of ransomware hacks should not pay ransoms, as it incentivizes more ransomware attacks elsewhere. It’s also a violation of U.S. regulations to facilitate ransom payments on behalf of ransomware victims.
Besides the legal considerations and ideological stances, there are practical considerations of ransomware hacks too, including how badly the ransomware cripples the organization and prevents it from operating.
Giacobe said many early attacks, like a 2019 attack Baltimore experienced, focused on encrypting data and systems to cripple operations and force the hand of the victims. Baltimore did not pay the ransom, but victim organizations do pay in many cases.
While encrypting data and holding it hostage does still occur, ransomware actors found that some victims are willing to spend the same amount as the ransom, or more, to repair their networks and recover data instead.
This is why some ransomware hackers like BlackCat add the extra twist of the knife and start disclosing private information, which harms the organization’s reputation and opens them to new or increased legal liability, Giacobe said.
This puts health networks like LVHN, as well as patients, in a no-win situation, where regardless of what the network does the hackers are in a position to do whatever they want with the data, Giacobe said.
“This is one of the reasons that we tell people don’t pay the ransom because the ransomer is going to do whatever they’re going to do,” Giacobe said.
LVHN has said operations were not affected by the hack.
Daniel Lopresti, a computer science professor at Lehigh University, said ransomware hackers are impatient and usually want to get their money quickly so they can move on to another victim. They will give up if enough time passes, but that doesn’t mean they destroy the data.
“In the end, they’ll do whatever they can to try to make money,” Lopresti said.
Why is health care such a big target for ransomware attacks?
Thousands of ransomware attacks occur each day, according to a U.S. government interagency report. The reality is that ransomware will likely be here to stay for some time, and it’s only getting easier for bad actors to launch attacks.
Modern hacking doesn’t necessarily require a lot technological know-how. Those with the skills to write ransomware now often operate businesses, where they distribute the ransomware to those without the time or skills to make it themselves.
This business model is called “ransomware-as-aservice,” Giacobe said, and the ransomware operators get paid a subscription, a flat one-time fee and/or a cut of the profits gained from attacks using their ransomware.
Lopresti said health care systems are high-value targets for hackers, and will likely remain so in the future. This is partly because health care providers hold a lot of sensitive and time-critical personal data. Medical records are highly specific and, unlike credit card numbers, phone numbers or addresses, can’t be canceled or changed.
He added they also have large numbers of employees, often distributed over a wide geographic area, whose focus is on the well-being of their patients, not on the detailed aspects of the computer technology they’re using. Ransomware often exploits openings created by human error and BlackCat’s ransomware gains access to a targeted system using compromised user credentials, according to the Center for Internet Security.
What can health care providers do to protect patient information?
Under the Health Insurance Portability and Accountability Act of 1996, hospitals are required to protect confidential patient information. Part of this requirement extends to safeguarding electronically stored patient information from ransomware and other malware attacks, including identifying network vulnerabilities, and ensuring that backups of electronic records exist, as well as setting contingencies in the event that a breach occurs.
The recent class-action suit argues that LVHN has violated HIPAA and that, according to guidance from the U.S. Department of Health and Human Services, hackers encrypting or obtaining data patient health information is “disclosure” not permitted under HIPAA.
“I think it behooves all health care-related organizations to look very carefully at this type of attack mechanism and realize that they’re all targets,” Giacobe said. “It’s not just a question of, can I put all the pieces back together after somebody blows it up and we get ransomware on our system? Now they’re ... using this data as a weapon against us. So we really have to up the game.”
Firewalls, encryption-in-transit and dual-factor authentication can make networks more secure but are useless if the ransomware exploits a loophole or issue that lets it bypass those security measures and access the system directly.
Giacobe said many risk analysts now think encrypting every record in the database individually is the next-best step to fighting ransomware attacks. This method would make the data stolen by hackers useless unless they were able to obtain all the keys that decrypt the data.
However, he said, this level of encryption is very difficult to effectively manage.
Lopresti said there are other downsides too.
Record-level encryption slows down legitimate access to the data because each time it’s used it needs to be decrypted, a reality that is bound to be unpopular with already-time-starved doctors and nurses. He added that encrypting your own data doesn’t prevent a ransomware hacker from encrypting it again and denying you access.
“It’s this never-ending battle — you always have to be on top of it,” Giacobe said. “It’s sad that these things occur. Systems get broken into, attackers figure out ways to twist the knife when they do it, but that’s the state of where we are today.”