‘Jane Doe’ Wanted Health System to Pay Ransom to Take Sensitive Photos Off Dark Web
The lead plaintiff in a proposed class action lawsuit against Lehigh Valley Health Network dropped her push for a court order requiring the medical center to pay ransomware hackers in exchange for their pledge to remove from the dark web partially naked exam room photos stolen during a hacking incident.
The mid-April decision by cancer patient Jane Doe’s legal team to drop their legal bid for an order came after the federal judge in the case pressed her attorney over whether the court has authority “to force a party to comply with an illegal act or pay an illegal ransom.”
Lehigh Valley Health Network refused to pay a ransom in the aftermath of a February attack launched by affiliates of Russian-speaking ransomware-as-a-service group BlackCat – also known as Alphv. The group responded by posting onto its leak site exam photos of Jane Doe and another patient taken during stages of undress during breast cancer radiation treatments (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
Brian Nester, the CEO of Lehigh Valley Health Network, which operates 13 hospitals and numerous physician practices and clinics in eastern Pennsylvania, admitted on Feb. 22 that the entity had been hit with an attack by BlackCat (see: Pennsylvania Health System CEO Confirms BlackCat Attack).
Nester said the organization’s initial analysis showed that the incident involved a computer system “used for clinically appropriate patient images for radiation oncology treatment and other sensitive information.”
Worth a Try
Attorney Erik Weinick of the law firm Otterbourg, who is not involved in the Lehigh Valley Health Network case, says U.S. District Judge Malachy Mannion’s questions to Jane Doe’s attorneys about the authority of the court to order Lehigh Valley Health Network to pay “an illegal ransom” highlight the challenges presented by the relief sought by the plaintiff.
“Judge Mannion asked exactly the right question: ‘What authority do I have to grant the relief you are requesting,’ or conversely, ‘How am I not expressly precluded from granting the relief you are requesting?'” Weinick told Information Security Media Group.
“Judge Mannion’s exact words more than infer the court’s initial conclusion that the relief sought likely constitutes an illegal act,” Weinick said, adding, “A court may not compel a party to perform an unlawful act.”
Victims of other data breaches and similar leaks should not take the latest developments in the Leigh Valley Health Network legal case as a reason to not pursue remedies in their own post-cyberattack battles, Weinick said.
“It would be unfortunate if those working on behalf of cyber victims are discouraged from developing innovative and ameliorative solutions as a result of the ‘scrubbed launch’ here,” he said.
Neither Lehigh Valley Health Network nor an attorney representing Jane Doe in her lawsuit against the entity immediately responded to Information Security Media Group’s request for comment on the latest developments in the legal case.