SCRANTON, Pa. — It's one thing to have information or money stolen by cyber criminals, but attorney Patrick Howard says what was taken from his client left her feeling humiliated.
"Not only that her medical records may be on the internet, but also naked pictures of her receiving breast cancer treatment."
The anonymous Dunmore resident is suing Lehigh Valley Health Network (LVHN) over its handling of the data breach earlier this year.
The health care system says it was targeted by a ransomware gang with ties to Russia. LVHN refused to pay the ransom.
In the lawsuit, attorneys write, "While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims."
Howard says there are about 2,700 of those victims who now have naked photos of them on the dark web. Howard is working to get a class-action lawsuit.
"What was the thought process in deciding, 'Yeah, we'd rather let these pictures get out the door, then pay this ransom or demand, whatever you call it, to prevent that from happening?'"
Cybercrime is keeping Howard busy these days. He has about a dozen active data breach cases right now.
His Dunmore client's first instinct when she learned she was a victim speaks to just how prevalent the crime is.
"She actually believed initially that the whole thing was a scam, and she contacted the police," Howard said.
Pennsylvania State Trooper Anthony Petroski says that was the right thing to do. Even if you're contacted about a scam, that could be a scam itself.
"They received an email about getting a year of paid protection since there was a data breach. And I always tell people who get those emails, that's great if they're offering you that, but make sure it's legitimate," Petroski said.
"Don't click on any links in that email, and open a separate Google search, look into the data breach, and call that health care provider separately, and ask them before you respond to the email because, again, that could be a scam also."
Some victims might be concerned that opting in to a protection plan might just provide more information to the hackers.
Petroski says the benefits outweigh the risks.
"It's tough, you know, you could play 'what ifs' with everything. If there's a data breach at an institution, and they offer you that protection plan for up to a year, it's a good idea to take it. It's going to help. It's a red flag for creditors."
But in a lot of cases, once the damage is done, there's not much you can do.
That's true of the cancer patients, whose photos are now floating around the dark web.
While they might get money from the lawsuit, those photos are likely never going away.
"I'm not sure what else I can do. We've tried talking to the hospital system, imploring them to how sensitive the situation is, and they've made their decision."
So, if this happens to you, what can you do?
- Verify the source of every email about the hack.
- Call the company where your data is stored.
- Don't click on any links until you do.
- Monitor your accounts.
- Freeze your credit cards.