LVHN Releases Update on Cyberattack, Says It Identified Compromised Patient Information
Lehigh Valley Health Network has provided additional information regarding a cyberattack and data breach that it suffered earlier this year.
Lehigh Valley Health Network recently issued a release about the cybersecurity attack, which the network said was perpetrated by the ransomware gang BlackCat, which has been associated with Russia.
The attack was focused on Lehigh Valley Physician Group-Delta Medix in Scranton, and resulted in patient information, documents and photos being posted to the dark web.
According to a previous network statement, LVHN detected unauthorized activity in its IT system on Feb. 6, notified law enforcement and launched an investigation with the help of leading cybersecurity firms and experts. The breach was determined to have occurred on Jan. 8.
LVHN also said it refused to pay the ransom the group was demanding.
The health network said through its investigation, it has identified personal information in the files that the hackers acquired.
The information varied by individual but potentially included names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology codes, and health insurance information.
Some individuals may have also had their email addresses, banking information, Social Security numbers or driver’s license numbers compromised, and clinical images of patients during treatment may have also been accessed for a limited number of people.
LVHN said it began notifying individuals whose information was involved in the cyberattack on March 14. The network said the majority of notices would have been sent out by the end of June.
LVHN said that it took “prompt action” to contain and address the issue and continues to work with cybersecurity professionals to bolster its cyber defenses.
The network also noted that it has invested in enhancing the security and protection of its IT systems and will continue taking steps to safeguard data.
Additionally, LVHN said it has arranged to provide affected individuals with a 24-month complimentary subscription to Experian’s IdentityWorks monitoring service. Information on how to activate one’s membership is included in the notification letters.
In March, a class action lawsuit was filed against LVHN over the breach, alleging that the health network put financial considerations over patient privacy by refusing to pay the ransom.
It also claimed that the network failed to employ adequate security measures to protect patient information.
The lead plaintiff, identified as Jane Doe, is a resident of Dunmore, Lackawanna County who was receiving breast cancer treatment.
According to the suit, Doe was notified by LVHN that her sensitive information, including nude images of her during treatment, compromised in the breach and posted to the dark web.
The suit also said Doe did not know that LVHN retained screenshots of patients receiving treatment on its network.
LVHN said in its March statement that among the stolen information were three screenshots, “which are clinically appropriate photographs of cancer patients receiving radiation oncology treatment at LVPG Delta Medix.”
The suit’s factual background section says the hackers uploaded an additional 132-gigabyte file onto the dark web, which included patient data and photos, after the health network failed to meet their demands.