Cancer patient sues hospital after ransomware gang leaks her nude medical photos | Victim offered two years of credit monitoring after highly sensitive records dumped online

#Cancer #patient #sues #hospital #ransomware #gang #leaks #nude #medical #photos #Victim #offered #years #credit #monitoring #highly #sensitive #records #dumped #online

Newest Most Voted
Inline Feedbacks
View all comments

Two years of credit monitoring is a laughably inadequate and insulting offer.


Wow! Unbelievably cruel.


Hopefully, cases like this will one day teach the world to not go cheap on cybersec specialists.


I remember at one point no joke I had 4 credit monitoring services given to me through multiple hacks. (Sony, Equifax, and a few others)

Anytime I gotten an option to take a payout I would take it. But after the Equifax thing, courts have basically said our value. The more I live in this country and longer I live the more hypocrisies I find from what was told when I was a kid and more corruption I find.


“[LVHN VP of Compliance] offered plaintiff an apology, and with a chuckle, two years of credit monitoring,”

let’s see if the stone-brain chuckles at losing her job


My university got hacked and our ss numbers leaked and they offered us a year of credit monitoring….we were like soooo after a year were fucked??


How difficult it becomes every day to have some faith in humanity, when you see these things happen more frequently and without people caring.


Did you know many hospital based apps and programs do not use HTTPS for anything?

Did you know the biggest EMR in only now actually enforcing HTTPS as a requirement for all its web based services?

Did you know it can take literally 6 months for a healthcare vendor to update their F5 appliance to plug the worst F5 vulnerability in a decade?

Health care vendors don’t care about security. No matter how much you care. Don’t even get me started on doctors. They won’t even let us lock workstation after 15 minutes because it’s “inconvenient”


We need to create different rules and mechanisms to punish corporations for engaging in risky behavior.

Corporations save money and take risks and when something bad happens they suffer no real consequences.

Why invest in IT security and force staff to actually listen to the security people they do have? The worst that could happen is that someone else suffers.

Minor fines and stuff like that will not help things. At best they are a cost of doing business and at worst they will be passed on to customers.

With business like hospitals they can’t even punish the business because the public still needs the hospital.

This whole corporate veil thing where risks and immoral decision can benefit the owners/shareholders, but bad consequences rarely affect the people who own the business needs to be retaught.

If the aim to increase shareholder value always results in a world that become more and more fragile, this is a big problem.


The US government had my personal info hacked and all I was offered was a discount on a year of credit monitoring…

So I’d say this a win.


That’s horrendous and grossly inadequate


Two years of credit monitoring won’t do much. Make it 30+ years and that’s maybe acceptable.


Cheaper to react to computer security breaches than to prevent them.


I hope she cleans out the hospital’s insurance company.


Oh right, I heard a lot of those AI art websites use stolen medical photos for their algorithms


Two years of credit monitoring….. After all the money that hospital made from her cancer treatment?


Is there any way for individuals to protect themselves legally from this sort of thing? Can we present our healthcare providers with a legal document prior to procedures stating if our images/likenesses are stolen or sold by their negligence we have the right to financial payout? If not, why not? Why should healthcare providers have all the power with regard to sensitive personal information? Why should we have to sign all sorts of invasive, legally binding documents and let them share our data against our consent, yet they never have to make any sort of agreement or pledge to us the patient? And clearly HIPAA is not enough. This is so gross.


Some people are missing a context here. This isn’t criminals trading images because naked.

This is the criminal organization releasing a few naked images to create a PR disaster for the hospital to put pressure on them to pay.

If the hospital had backups of encrypted data they’re not going to pay for recovery. They may however pay to stop publication of these images and medical records.


I worked for a multi-billion dollar HIT company some time ago (one that was recently acquired by a major tech company). I was tasked with building an app for a hospital that they would use on their iPads.

Well, I just so happened to find out that they planned to hand the iPads over to patients to fill a form out. There was no security protocols in place! Anyone could easily leave the app, and start looking at any patient’s charts by opening another app.

I told my lead and pm, and they didn’t care. I told the hospital contacts, and they didn’t seem to understand or care. I stormed into my manager’s office and brought it to her attention, and she just kind of cared enough to have me find a solution…but only because I described how dangerous the situation was.

In the end, the project was wrapped up, the team called out the security feature THAT I FOUND in the documentation, and I didn’t get so much as a thank you from anyone. No doubt if a lawsuit came about for HIPAA violations, I would be one of the scapegoats.


Credit monitoring?!? Jesus christ man, that is quite literally like throwing pennies at her.


They refused to pay the blackmailers, so they’re going to be paying lawsuit settlements instead. The government will certainly do a full HIPAA compliance investigation, especially since they’ve been hit once before, and probably fine the crap out of them too.

They don’t play around with fines. One dentist responded to a bad review online and just mentioned what procedures she had while doing so, and he got hit with a $50,000 fine.


Offers of credit monitoring are corporate America’s smug slap in the face to the victims of their fuckups. “ha ha, here you go, peon, now fuck off.”


Our hospital gives out five dollar gas cards for everything from a slightly delayed case to wrongful deaths.


In my exp as a tech recruiter for some hospitals..not all…I’ve noticed there is a bigger focus on office politics and BS than actual getting IT work done so I’m not surprised a hospitals IT security infrastructure let this shit happen.


To the big corps, it cost less to just pay the data breach fine than to invest on implement and maintain a data security system. The fine is not severe enough for the big corps to care to make change.


Hope they’re granted class status, they deserve it.

Fucking “healthcare providers” though, if they thought it’d save them a dime, they’d post their own mother’s saucy selfies online. Feckless clowns.


Look forward to this happening more often people.


wut the fuck


Uh.. talk about HIPPA violation! Wow!


Don’t file with a class action suit if you know you have a good case . Fuck them. Make them pay for individual lawsuit and get paid.


Why does the hospital need their SSN? In Canada we do not provide our equivalent SIN to the hospital. Can someone explain this?


I love how they always just give you credit monitoring after your life is ruined.


This seems like it should be under A Boring Dystopia.


Yeah, fuck you. That’s not even remotely close to adequate.


A couple years ago I was admitted into the hospital for this difficult infection on my foot that was not responding to oral medications. While I was admitted, a nurse came into the room with a 15 year old point and shoot camera and wanted to take photos of my groin and genitals to document the infection had not spread there or that I had some scratch on my thigh or something. I pushed back hard and had a difficult time getting them to go away with their creeper camera, because I was 100% sure they had no control where those images would go, and 100% sure they did not need photos of my not-infected junk.

This story validates my concerns completely.


only the lowest of scum go after hospitals. fuck hackers like this.


Find these people and skewer them on a pike. Some people need to be dead.. say what you want but some fuckers are evil and need to be gone


Credit monitoring is usually free through many websites and apps.

They mine as well have offered them free unlimited air for life that can be breathed as needed by their mouth anytime anywhere they’d like.


Ok yea that offer sucks. But imagine being part of a hacker gang and doing this. Scum of the earth


Healthcare providers don’t give a shit. I’ll tell you how this happens. They outsource their IT department to an MSP (managed service provider). The MSP does fuck all training around HIPPA and are generally overworked\underpaid. Hospital scrimps on services offered like security. Hospital assumes MSP is doing everything. They aren’t.

Know how I know? Been in this situation multiple times.


That’s like getting killed and they give you a t-shirt to be buried in.


We should normalize suing the fuck out of companies that have our data leaked


We need to make people who feel comfortable doing this not so comfortable anymore.


I’m a hospital data scientist, I have no idea why these images were being stored without being de-identified first. We have very strict (and sometimes frankly annoying) protocols for this exact reason of data intrusions. Data is supposed to be either anonymized or de-identified with all data content stored completely separately from the identifiers. Somebody done goofed in the hospital or the insurance company (upstream from the actual intrusions by this hacker group – that is going to happen but you’re supposed to make the data useless to them before they get their hands on it, in that event)


I’m a cyber threat analyst who has spent the past week in an (unrelated to this incident) ongoing ALPHV Blackcat ransomware case and I just wanna say, this case I’ve been working is far more complicated than any previous ransomware case I’ve been involved in. ALPHV is an APT and need to be taken seriously. Over a month and they hadn’t paid the ransom?? Nobody WANTS to pay the ransom, but fuck even in cases I’ve worked that involved significantly less PII, let alone something protected under HIPAA, the ransom was paid to prevent public access of that data. They deserve to get sued hard and can only blame their greed for this data being leaked. Jfc


The number of doctor’s offices that I call (work in IT services) with an AOL or Gmail for their practice is probably higher than anyone should be comfortable with.


The scary part of this all…. Hospital suck at info sec. I hope she owns that place.


Smh this is the result of being hacked it sucks bc they can hack damn near anything now


It will be interesting to see how this pans out. A lot of smaller medical offices are not equipped to deal with ransomware issues at all. I advise small medical offices to hire internet security firms to help protect against these types of attacks.

Recent Posts