Patients Extorted Over Photos Sue Doctors for Security Failures | #ransomware | #cybercrime

Pilfered snapshots of patients baring their bodies ahead of life-saving cancer operations and plastic surgeries are unexpectedly landing in the vast landscape of the public internet after cyberattacks, as hackers seek new ways to turn a profit.

Campaigns to extort victims during ransomware attacks against health-care providers are evolving, according to lawsuits and Bloomberg Law interviews with cybersecurity attorneys and threat researchers. No longer satisfied with targeting hospitals and clinics alone, cyber criminals are directly targeting patients, demanding payments as modest as $50 to prevent the publication of intimate photos and sale of other sensitive medical records on the dark web.

Victims reeling from direct medical privacy extortion launched a litany of proposed class actions and individual lawsuits against their physicians. Health-care providers are accused of failing to safeguard their patients’ most sensitive data and inadequately addressing the aftermath of security breaches.

The rising tide of personal extortion could complicate how providers prepare for and respond to security breaches, said Avi Gesser, a Debevoise & Plimpton LLP partner who advises companies on ransomware and data theft.

“It may be that smaller companies with very sensitive data become a new focus of hackers’ efforts,” said Gesser. “Those companies will have to think about how they are going to respond to a new risk or a higher risk than they had previously faced, when they may have fewer resources.”

The global ransomware phenomenon is surging again. After a year of diminished returns in 2022, hackers were on pace in 2023 to collect their second-biggest windfall in ransomware revenue ever, according to the blockchain analysis firm Chainalysis. This is despite fewer victims actually paying ransoms, according to the incident response firm, Coveware.

At least nine cases filed over the last nine months working their way through state and federal courts stem from this disturbing trend. Hackers brazenly steal medical records and threaten public disclosure if ransom demands to the breached entity or its patients go unanswered, the lawsuits charge. The defendants in these cases range from individual practices such as Hankins & Sohn Plastic Surgery Associates, to provider networks encompassing more than a dozen hospitals, including Integris Health Inc.

Hackers are turning to the personal extortion method given “how easy it is to scale these kinds of attacks” and as their ransomware attempts are becoming less fruitful, said Shoba Pillay, a former federal cybercrimes prosecutor and current co-chair of Jenner & Block LLP’s privacy and cybersecurity practice. “There is a shift in the efficacy of ransomware because the companies have gotten more sophisticated, so the old way of encrypting and demanding payments to get access to your data is not as viable.”

The divide remains stark among health-care organizations grappling with the imperative to fortify their defenses. While some providers independently invested in a robust security posture, others are being propelled by insurers embedding strict security protocols in policies. The federal government is also pushing critical infrastructure, including health, towards stronger network protections. The US Health and Human Services Department is due to update its national security standards for electronic records in the coming months as part of that federal push.

Federal agencies are continuing their decade-long effort to convince companies, hospitals, universities, and local governments to protect their networks, but hackers are adjusting to the enhanced security parameters. Cybercriminals are turning their attention to smaller medical targets and focusing more on “stealing data, which is easier than locking it up,” Gesser said.

“If some class of targets has become hard to get at and if you get at them they’re not paying, or not paying as much as they used to, the attackers will shift and look for other targets and other ways to make money,” he said.

‘A Real Struggle’

Hackers aren’t selective in who they extort—men, women, and even children have received threatening emails, according to allegations in the lawsuits.

In one case, an unnamed minor was sent two extortion emails demanding $50 payments to prevent the release of his medical history and Social Security number. The subsequent lawsuit alleged minors are especially prone to identity theft given “their age and lack of established credit.”

Plastic surgery offices in Beverly Hills, Calif., and Las Vegas, Nev., were attacked by ransomware groups demanding thousands of dollars from patients. When the attackers didn’t receive payment in time, they posted patients’ nude pictures alongside identifying information on public websites mimicking the company pages.

The personal toll of such exposure can be devastating. Savyna Roufeh, a patient at Hankins & Sohn Plastic Surgery Associates, sought “psychiatric and psychological treatment” after hackers sent her emails demanding she force Hankins to pay a ransom. The email included a link to one such replica website containing private patient images including her own, according to her lawsuit against the office. Roufeh alleges staff members said her face wouldn’t be included in before-and-after photos of her chest, but it was.

“The concern is ‘I’m trying to make it as a woman in corporate America and I can’t have things like this that could compromise how people view me or perceive me,’” said Dennis Prince, representing Roufeh for Prince Law Group.

Images of Jane Doe, a breast cancer patient receiving radiation treatment, posted in March 2023 to the dark web—a portion of the internet underground not visible to most search engines and rife with criminal activity. Hackers, who didn’t contact Doe directly, exposed her and other cancer patients after failing to elicit a ransom payment from Lehigh Valley Health Network Inc. in Pennsylvania.

She’s now acutely sensitive to her photo being taken in medical settings, said Patrick Howard, a class action partner at Saltz Mongeluzzi Bendesky PC representing Doe.

“She literally contemplates the risk to receive medical treatment and balances whether or not the medical treatment is worth the potential exposure of her personally and it’s a real struggle,” Howard said, adding that his client has switched hospitals since the incident. The woman alleged she was never made aware photos were taken during her radiation oncology procedure.

One former cancer patient targeted by medical records extortion alleged his bank account was robbed of $1,300 after hackers accessed data retained by the Fred Hutchinson Cancer Center.

Litigants’ allegations primarily revolve around negligence and other common law torts like breach of contract, claiming affected entities waited too long to inform patients and seeking monetary relief for the alleged irreversible damage of data exposure. While regulations generally allow providers several weeks to disclose a security breach, four of the complaints allege plaintiffs first learned about the data theft directly from hackers.

Victims are seeking legal relief because once their images and medical data have been published online or in dark web forums, it’s virtually impossible to claw them back, said Nada Djordjevic, a class action partner at DiCello Levitt who’s representing an anonymous proposed class of Beverly Hills plastic surgery patients targeted with extortion demands.

“There’s an ongoing risk that it will be put up again and used again, used over and over because you can’t ever 100% remove something from the internet,” Djordjevic said.

Company Considerations

The first known instance of direct patient extortion targeted tens of thousands of Finnish psychotherapy patients in October 2020, leading researchers to conclude the tactic “puts additional pressure on the company to pay the ransom,” in a paper published by Harvard’s Belfer Center for Science and International Affairs in May 2022.

The anonymous cancer patient suing in Pennsylvania initially sought a court order forcing her hospital to pay the hacker’s ransom and prevent public disclosure of her nude photos. She ultimately withdrew the motion after “it became clear at a certain point that they just weren’t going to part with the money,” Howard of SMBB said.

Companies should expect increased external pressure from patients upset about paying a ransom or having their privacy exposed, but an affected entity’s best response is still avoiding a ransom payment, said Alex Holden, the founder of cyber consulting and investigation firm, Hold Security.

“Once you make a decision, preferably stick with that decision because either way, it’s going to be tough—if you go back and forth, it’s just going to show weakness and the bad guys will take advantage of that,” he said.

Ramp Up Disclosure

Mike Hamilton, founder of cybersecurity firm Critical Insight and former CISO of Seattle, said he’s advising health-care organizations to ramp up their security incident disclosure programs.

“If there is any indicator that the victims themselves, the consumers, are going to be contacted by these gangs,” the patients should be notified before hackers have an opportunity to reach out, Hamilton said.

“The failure to do that is probably going to end up—just like everything else does—in some kind of class action lawsuit,” he said.

Companies will have to balance meeting state and federal regulatory breach notification obligations with quickly informing patients with accurate information about what data was affected, Pillay of Jenner & Block said.

Direct extortion attempts may change how fast breached organizations disclose a hack to patients, but their timing strategy depends on “what extortion is happening with the patients and what the company understands and knows as the incident is evolving,” Pillay said.

Every state in the US requires hacked health-care entities to alert victims of data exposure, often within 60 days, but reporting timelines vary. The HHS requires entities to report data breaches affecting over 500 people to the Office for Civil Rights.

Gesser of Debevoise & Plimpton LLP said the standard approach of supplying patients with a year of credit monitoring may satisfy individuals suing for tens of thousands of dollars over heightened privacy exposure. He said companies could review their contractual confidentiality obligations in light of these lawsuits.

“That’s a different dynamic than a lot of cyber matters have played out in the past and I think looking at the contractual arrangements, the terms and conditions on which data is being provided to companies and the insurance of the individual, the insurance of the company are all going to be revisited with this dynamic in mind,” Gesser said.

Source link

National Cyber Security