The IT website The Register reported that medical records of at least two breast cancer patients containing above-the-waist nude photos were part of 75,000 patient records stolen by the BlackCat malware group.
After Lehigh Valley Health Network (LVHN) refused to pay the ransomware gang, BlackCat began leaking patient info, including photos of the two cancer patients.
In a lawsuit filed on March 13, 2023, one of the patients using the pseudonym “Jane Doe” to protect her identity, detailed how she discovered the breach. One notable allegation claims that when notifying Doe of the incident, the LVHN VP of Compliance “…offered plaintiff an apology, and with a chuckle, two years of credit monitoring.”
The lawsuit further alleges that in addition to the photos, the ransomware gang likely stole Doe’s physical and email addresses, date of birth, Social Security number, health insurance provider, medical diagnosis and treatment information, and lab results in the breach.
Attorneys representing Doe say they expect the number of patients affected by the breach to be in the “hundreds if not thousands” and noted that in 2021 LVHN also reported the theft of patients’ protected health information from a business associate.
Healthcare Data Breaches and Lawsuits
While the details of this case are atypical, it highlights another source of liability for healthcare organizations and their business associates from lawsuits related to data breaches.
Under HIPAA rules and regulations, patients cannot sue covered entities or their business associates for damages because of HIPAA violations. Federal enforcement of civil and criminal HIPAA violations is the responsibility of the Health and Human Services Office for Civil Rights and the U.S. Attorney’s Office.