[ad_1]
A patient dropped a request for an injunction against Lehigh Valley Health Network to force the healthcare group to pay a ransom to hackers in a bid to have photos of her naked, taken during treatment, removed from the internet.
The patient, named as Jane Doe in a lawsuit filed in March, initially asked a judge to compel the Allentown, Pa.-based company to pay a ransom of more than $5 million to the BlackCat ransomware group. She withdrew the request April 18 after the federal judge overseeing the case requested an explanation of why the court would force Lehigh Valley “to comply with an illegal act or pay an illegal ransom.”
Shortly after the February ransomware attack, Brian Nester, Lehigh Valley’s president and chief executive, said in a statement that the company “refused to pay this criminal enterprise.”
A spokeswoman for Lehigh Valley said, “As a matter of policy, Lehigh Valley Health Network does not comment on active litigation matters.”
The judge’s memo didn’t specify what laws would be violated if Lehigh Valley were to pay hackers.
Companies that pay ransom fees to hackers based in Russia could be violating U.S. sanctions. Cybersecurity firms have said the BlackCat cybercrime group communicated in Russian. U.S. authorities discourage companies from paying ransoms because doing so could encourage more attacks.
Hackers attacked Lehigh Valley in February, and in March posted naked photos of Jane Doe, according to her complaint. The company identified around 2,760 patients whose “clinically appropriate photographs” were potentially stolen, Lehigh Valley’s chief compliance officer said in a court filing. They reside in New York, New Jersey, Virginia, Georgia and California, according to the filing. Lehigh Valley runs 13 hospital campuses and numerous health centers, labs and other services in Pennsylvania.
Jane Doe’s withdrawal of the demand underscores how tricky it is for victims of ransomware attacks to seek recourse after their data is stolen and exposed.
People whose sensitive data is hacked have few options to prevent it from being posted online, said Doron S. Goldstein, a partner at law firm Withersworldwide. Even if companies pay ransoms despite warnings from law enforcement, doing so doesn’t guarantee hackers will follow through on any promises to delete data or refrain from publishing it, he said.
“The fact that it was attempted indicates that people are searching for these solutions,” he said.
Jane Doe said she wasn’t informed the hospital took the photos in the first place, and worried that people would identify her, according to her lawyer, Patrick Howard, a partner at law firm Saltz Mongeluzzi Bendesky PC.
In a letter to the federal judge on April 10, Mr. Howard said that hackers made the leaked photos searchable by patient name.
The unusual request to compel a company to pay a ransom to hackers raised thorny legal questions, cybersecurity lawyers say.
There is a high legal burden for a court to order a company to do something, such as paying a ransom, as opposed to refrain from doing something damaging, said Jason Kravitz, a partner and head of the cybersecurity and privacy practice at law firm Nixon Peabody LLP.
“They have the right to pay or not to pay. That’s a business decision for the hospital to take,” he said.
Write to Catherine Stupp at catherine.stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
[ad_2]
Source link
