US-based healthcare service Lehigh Valley Health Network (LVHN) has sought to dismiss the lawsuit filed by a patient who lost her personal data, including naked physical examination pictures.
The LVHN lawsuit was filed in the U.S. District Court for the Middle District of Pennsylvania.
According to reports, the company is claiming that patients cannot hold it responsible for the theft of their personal images.
The company argues that it did everything possible to safeguard the sensitive information of its patients and that the responsibility for the theft lies solely with the hackers who illegally gained access to the data.
Arguments over the LVHN lawsuit
The company’s statement comes after several of its patients reported that their private images were stolen and shared online without their consent.
The patients claimed that the company failed to adequately secure its systems, leaving them vulnerable to cyberattacks.
A cancer patient filed a class action lawsuit on March 13 after her partially naked photos were stolen and leaked on a ransomware site during a data breach.
The patient accused the hospital of putting money over patient privacy by refusing to pay the ransom demanded by the hackers.
“Even if the plaintiff’s information had been publicized, Count V still fails because LVHN did not voluntarily publicize that information. To be liable for a claim for publicity given to private life, a defendant must voluntarily and intentionally publicize the information,” the brief read.
The data of the plaintiff accusing the healthcare of considering not paying a ransom over patient information security was leaked on the dark web by the BlackCat ransomware group.
The plaintiff found out about their images being leaked online and was stored in the systems of Lehigh Valley Health Network only after watching media content.
The argument to dismiss the plaintiff’s claims
“LVHN respects this potential impact to Plaintiff, which is why it prioritized notifying Plaintiff—and the other patients whose photographs were posted on the dark web…” read the brief published on Friday, May 5 as a response to the LVHN lawsuit.
However, plaintiff’s publicity to private life claim fails because her information is not (and is not substantially certain to become) public knowledge and because BlackCat, not LVHN, disseminated her information,” it added.
It is a known legal standard that to survive dismissal under Rule 12(b)(6), the lawsuit must be backed by sufficient factual matter, that can be accepted as true, to ‘state a claim to relief that is plausible on its face,’ the network brief further read.
Lehigh Valley Health Network ransomware attack, leaked photos and LVHN lawsuit
LVHN is a group of 13 hospital campuses, 28 health centers, and lab services in 10 eastern Pennsylvania counties among others. Unauthorized access to the Lehigh Valley Health Network was detected on February 6, 2023.
LVHN disclosed that it has suffered a cyber attack from Russian ransomware group BlackCat/ALPHV. In a statement, LVHN President and CEO Brian A. Nester said that the attack had not disrupted LVHN’s operations.
Based on the initial analysis, the attack was on the network supporting one physician practice located in Lackawanna County.
The attack is said to be similar to other cyber attacks carried out by the BlackCat ransomware gang on academic and healthcare organizations.
The ransomware group demanded an amount over $5 million, which the plaintiff ‘Jane Doe’ forced the Lehigh Valley Health Network to pay. On the contrary, LVHN authorities denied paying the ransom, as per the advise by the Federal Bureau of Investigation.
BlackCat ransomware group stole medical questionnaires, passports, driver’s license numbers, medical diagnosis data, and social security numbers in the heist. The group did not just encrypt the system files after the LVHN ransomware attack, they also threatened to leak naked images of breast cancer patients on their leak site.
The Lehigh Valley Health Network class lawsuit filed on March 13 read that the case was filed on the counts of wrongful conduct, misrepresentation, concealment, and unlawful practices.
After months of the ransomware attack and the LVHN lawsuit, the website of LVHN was not accessible.