25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom

Posted By on May 3, 2023

There has been an update to a lawsuit filed against Lehigh Valley Health Network over a ransomware attack that involved the theft of sensitive patient data and the publication of naked images of patients on the Internet.

Lehigh Valley Health Network detected the ransomware attack on February 6, 2023, and was issued with a ransom demand. The BlackCat group threatened to release the stolen data online if the ransom was not paid. While it is common for ransomware gangs to steal sensitive data and publish files if the victim fails to cooperate, the BlackCat ransomware group took the extortion a step further and published naked images of patients to pressure Lehigh Valley Health Network into paying the ransom. The images in question were clinically appropriate for radiation oncology treatment and showed patients naked from the waist up. The ransomware group was seeking payment of approximately $5 million. Lehigh Valley Health Network chose not to pay the ransom.

A lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania, which alleged Lehigh Valley Health Network failed to adequately protect patient data and failed to meet its obligations under the Health Insurance Portability and Accountability Act (HIPAA). The lead plaintiff, Jane Doe, had her naked images posted by the group. She maintains that she was not aware that the photographs had been taken.

The lawsuit sought class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket costs, and equitable and injunctive relief, including an order from the court compelling Lehigh Valley Health Network to improve its data security systems and provide identity theft protection services for the plaintiff and class.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Court Order Sought to Force Lehigh Valley Health Network to Pay the Ransom

One of those remedies sought by the plaintiff concerned the removal of her partially naked photographs from the Internet. Lehigh Valley Health Network no longer had control of those photographs, so the plaintiff sought a court order compelling Lehigh Valley Health Network to pay the ransom and obtain a pledge from the BlackCat group that the images would be removed from the Internet.

The plaintiff’s legal team said the plaintiff is worried that she may be identified by the images, that they may be viewed by her employer or people at work, and that she would be constantly worried that the images would be discovered for as long as they were available online. The patient’s attorney claimed images stolen by the group had been published online and could be found by searching using the individuals’ names, and that this was a deeply upsetting violation of patient privacy. The move to compel Lehigh Valley Health Network to pay the ransom was the only way that the plaintiff’s legal team could get the images removed from the Internet. The request was unusual, but this was not a typical ransomware and extortion attempt.

The request raised some important legal issues that U.S. District Court Judge, Judge Malachy E. Manion, moved to address. Judge Manion questioned the plaintiff’s legal team on the legality of the request and whether the court had the authority to force a defendant to commit a potentially illegal act. While U.S. law does generally not prohibit the payment of a ransom for the return of people or goods; however, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) can impose sanctions on organizations that pay ransoms to cyber actors under its sanctions program.

In response to the request, Judge Manion ordered the plaintiff’s attorneys to file a brief in support of their preliminary injunction, “specifically providing authority that the court may force a party to comply with an illegal act or pay an illegal ransom.” On April 18, 2023, the plaintiff dropped the request for the injunction to force Lehigh Valley Health Network to pay the ransom.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist