A woman suing Allentown, Pa.-based Lehigh Valley Health Network has dropped her request to compel the health system to pay $5 million in ransom to a cybercriminal gang to have her nude breast cancer treatment photos removed from the internet, The Wall Street Journal reported May 2.
The patient, known in the complaint as Jane Doe, withdrew the demand April 18 after a federal judge asked for an explanation of why Lehigh Valley should "comply with an illegal act or pay an illegal ransom," according to the report. The ransomware group that stole and posted the photos, BlackCat, has ties to Russia. Companies that pay ransom to hackers based in that country could be violating U.S. sanctions.
A Lehigh Valley spokesperson told the Journal the health system "does not comment on active litigation matters."
Jane Doe's photos, which she claims not to have been aware were taken during her treatment, were breached in a February hack that affected patients who live in New York, New Jersey, Virginia, Georgia and California, the newspaper reported. Lehigh Valley refused to pay the ransom; the health system said it identified about 2,700 patients whose "clinically appropriate" photographs may have been stolen.
"They have the right to pay or not to pay. That's a business decision for the hospital to take," Jason Kravitz, a partner and head of cybersecurity and privacy practice at law firm Nixon Peabody, told the Journal.