Lehigh Valley Health Network agreed to pay a $65 million settlement after nude photos of patients surfaced on the dark web following a cybersecurity incident. Though medical information has long made health care providers a target for ransomware groups due to its private and sensitive nature, this settlement likely will result in increased attacks against the health care industry.
Following a cybersecurity incident, Lehigh Valley elected not to pay the $5 million ransom to BlackCat/ALPHV — a highly pernicious ransomware group that was responsible for the MGM Casino and Resort breach. Though the decision whether to pay a ransom varies significantly in each incident, it generally comes down to a question of financial risk.
Will paying the ransom offset the risk by more than the ransom amount?
In the case of personally identifiable information, such as social security numbers, and protected health information, the answer is generally no. This is because a class action lawsuit is almost guaranteed where the number of individuals impacted is greater than 1,000 — and that is the case whether the ransom is paid or not.
State laws and federal regulations require notifications to individuals, state attorneys general, and regulators in the event of a breach that affects a certain number of individuals. These breaches are publicly displayed on state attorneys general and regulators’ websites. Plaintiff’s law firms scape these sites, solicit class members, and file suit as quickly as possible — often using the same complaint over and over again. Data breach class action lawsuits rarely go to trial and often settle for several hundred thousand to several million dollars.
As a result, paying a ransom is economically impractical when personal information or protected health information is impacted. (Note: This calculus changes significantly when trade secrets or confidential business information is involved).
However — the Lehigh Valley settlement just changed this calculus. Now, ransomware actors are going to be on the hunt for .png, .jpeg, .mp4 and other image and video files stored on health care networks. If they find nude images or videos of patients, their bargaining chip exponentially increases in value.
When compared with a $65 million settlement, a $5 million ransom looks much more appealing — and that is what the ransomware groups are counting on.