Today is there such thing as the unforgivable breach?

 My name is Bill Russell. I'm a former CIO for our 16 hospital system and creator of this week Health. A set of channels dedicated to keeping health IT staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health.

Sure. Test and Artis site two great companies. Check them out at this week, health.com/today,

having a child with cancer is one of the most painful and difficult situations a family can face in 2023 to celebrate five years at this week, health we are giving back. We will be partnering with Alex's Lemonade stand all year long.

We have a goal to raise $50,000 from our community. We are already up over 11,000 and we're asking you to join us. There's two ways you could do. One is that you could hit our top banner on our website this week, health.com. Click on the Alex's Lemonade stand. Go ahead and, , give money on the Lemonade Stand site itself.

The second is we have a drive. We've been doing drives every month and for the month of March, has to do with the Vibe Conference. , my, , producer happens to have a service dog. We're bringing the service dog with us to the. and the service dog's name is Captain.

And if you see us with Captain, get your picture taken with Captain at the Vibe event, go ahead and post it to social media and tag us this week, health in the post itself. And everyone who's in that picture, if it's 10 people, if it's a hundred people, we're gonna give $1 for every person who is in that picture to, , Alex's Lemonade stand to raise money for childhood cancer.

 I wanna thank three great sponsors who are making this drive possible and they are art of sight order and shore test, and we really appreciate them stepping up and being a part of this campaign.

 Okay, the question for today is, is there an unforgivable breach? , Drex posted this in his, , feed. I picked it up. I read it, the comments below essentially said, this is unforgivable and I'm going to just go ahead and read it. and we are gonna have a little discussion at the end. Discussion. I'm gonna be talking at the end of what I take away from this.

So cancer patient sue's hospital after ransomware gang leaks her nude medical photos. Here's what the article says. A cancer patient whose nude medical photos and records were posted online after they were stolen by a ransomware gang has sued her healthcare provider for allowing the preventable and seriously damaging.

The proposed class action lawsuit stems from a February intrusion during which malware crew Black cat broke into one of Lehigh Valley Health Networks Physician networks stole images of patients undergoing radiation oncology treatment, along with other sensitive health records belonging to more than 75,000 people, and then demanded ransom payment.

To, to grip the files and prevent it from posting the health data online. So a couple things outta that sentence. , paragraph one is it's the health network. So it was probably a physician practice out in, or a oncology practice out in the, , out in the network itself. I don't know if they were on the Epic instance.

I don't know what they were on. I don't actually, what we're probably looking at is a. , oncology, e h r is my guess. , but I don't know, and it doesn't really spell it out in here in technical terms, but regardless, physician practice, so this is, , not the main hospital that was getting hacked. It was probably a physician group.

That's what I take from that paragraph. The Pennsylvania Healthcare Group, one of the largest in the US states, , oversees 13 hospitals, 28 health centers, and dozens of other physician. Clinics, pharmacies, rehab centers, imaging and lab services. , Lehigh Valley Health Network refused to pay the ransom.

And earlier this month, black Cat started leaking the patient information, including images of at least two breast cancer patients naked from the waist up. The Unconscionable Criminal Act takes advantage of patients receiving cancer treatment and Lehigh Valley Health Network condemns this despicable behavior that was from a spokesperson from the hospital according to the lawsuit, which there's a PDF file here that I could.

, here's how one patient identified as Jane Doe found out about the data breach and that Lehigh Valley Health Network had stored nude images of her on the network in the first place. So that's interesting in and of itself. I mean, we don't know what our health system has and what they're storing on us.

This is why I go back to patient-centric interoperability. I should. This is me getting to my so what, but I should have the right to say to my health system, give me my health record and delete it from your system. I don't want you to have it. I don't trust you. to have that information, especially nude images.

My patient information, I'm gonna go on here, but that is my case. This is one of my largest cases for, I should be able to have the health system delete my information if I don't trust that they have the right security practices in place. Okay, it goes on, , this is how she was notified on March 6th. We have health network.

, person in charge of compliance, I'm not gonna say her name, called Doe, and told her that the new photos has been posted on the hacker's leak site. , the compliance officer offered the plaintiff a photo apology with a chuckle. And two years of credit monitoring. Now, I don't doubt that that's how this person heard this, but if the compliance officer actually did chuckle, they should be fired and they shouldn't be the person making the phone call.

Somebody with some empathy should be making the phone call. , but that's probably how they heard it. I can't imagine somebody chuckled in the process Anyway, in addition to swiping the very sensitive photos, the crooks also made off with everything I need for identity. Let's take a look at what they took.

, let's see, physical and email address, date of birth, social security number, health insurance provider, medical diagnosis and treatment information and lab results were also likely stolen in the breach. Yep, that's it. That's, that's a pretty comprehensive record that was given up, , given that Lehigh Valley Health Network is and was storing the sense of information, the plaintiff and the classes.

, including new photographs of the plaintiff receiving sensitive C cancer treatment. Lehigh Valley Health Network knew and should have known the serious risk and harm that could occur from the data breach. No doubt that is absolutely true. A claims Lehigh Valley Health Network was negligent in its duty to safeguard patient sensitive information and seeks clax action status for everyone whose data was exposed with monetary damages to be determined.

, and I That's the case, right? The case is were they negligent? And this will be an interesting one to follow, an important one to follow. Anyway, Pennsylvania attorney Patrick Howard, who's representing doe and the rest of the plaintiffs in the proposed class action, said he expects the number of patients affected by the breach to be in the hundreds, if not thousands.

The hospital invites patients into the facility, takes possession of their data. Howard told the register, the hospital must ensure that the data is. , taken care of has proper safeguards, , including these highly sensitive photographs. You give the expectation of safety and security. If you act negligently in providing the safety and security, you can be held liable regardless of the conduct of the third party.

, Lehigh Valley Health Network declined to comment on the suit. We do not comment on active legal matters. Of course, that makes sense. , , what's the, so what? Is there an unforgivable data breach? and the answer is the unforgivable data breach is one in which there is negligence.

That's the unforgivable breach because we know they're coming after us. We know they're coming after this data. We're protecting somebody else's data, and if we're not putting the safeguards in place, Regardless of what level of maturity we're at, it's only unforgivable it and unconscionable if we are not doing the right things, it's not the type of information that's stolen.

I mean, it's the practices around it. Like if we know we have this kind of sensitive, , photographs and those kinds of things. , has there been a, a discussion before we start taking these photographs and putting them online? Have we at least had the conversation of how are we gonna protect these things?

What safeguards need to put be put in place? Do we have, you know, just the basics? Do we have dual factor authentication? Do we have, fill in the blank, whatever those, whatever the, the framework you're using. Are we progressing in that framework? If I were the, the. lawyer in this case, I would be looking at that framework and saying, show me the, show me your security framework from three year, I don't know when this occurred.

Does it say March 6th? Doesn't gimme the exact date that this occurred. , but I'd be looking like the three or four years prior to that saying, I need to see your security framework and your maturity model on each one of those years. And if you don't have one, it's negligence. If you have one and you're not making progress, potentially negligence, negligence on the part of who knows what, , it could be that we're not investing enough money that, that the leadership's not taking it serious enough.

, or it could be negligence on the part of the security team. Could be negligence on the part of the compliance team, could be negligence in a lot of different areas, but if there's no progress being made, there's likely neglige. . Right. Or at least not prioritization. And that in and of itself is negligence.

, but I'm trying to think if they are making progress, , I I think it's gonna be hard to prove negligence if they've put security controls in place and they have education in place, they have dual factor authentication in place, it's gonna be hard to prove negligence. And I don't think if they're making that kind of progress, there is, , it's unconscionable.

I understand It's h horrific. The information that was lost, but the question is, is it negligence or not? And if it's negligence, then it is the unforgivable breach.

 Well, that's all for today. If you know of someone that might benefit from our channel, please forward them a note. I'm serious here. Think of it right now. Who could you forward a note to and say, Hey, you should be listening to this channel. I'm getting a lot out of it.

I'd love to just talk to you about some of the stories that they cover that would really go a long way in helping us to continue to create content for the community and events for the community. They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google Overcast, Spotify.

Stitcher and I could go on and on and on because anywhere that a podcast can be listened to, we're already out there. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Sure. Test and 📍 Artis site. Check them out at this week, health.com/today.

Thanks for listening. That's all for now.