Lehigh Valley Health Network under a ransomware attack

Lehigh Valley Health Network is the subject of a major ransomware attack. The attack was carried out by the threat actor ALPHV and has had a severe impact on the healthcare provider.

We look at the details of this ransomware attack below. It remains unclear as to how the Lehigh Valley Health Network is coping with the impact.

Key points about the ransomware incident on Lehigh Valley Health Network

• The attack was communicated and acknowledged on 4th March 2023 by ALPHV or Black Cat ransomware group. The group is based in Russia.

• Lehigh Valley Health Network had initially issued a statement on February 20 about a ransomware attack carried out by the threat actor Black Cat. This attack took place on 6th February 2023. A physician’s office was compromised and provided an entry point to the threat actor.

• As per the statement released on 20th February, Lehigh Valley Health Network confirmed that operations of the healthcare services were not affected by the ransomware attack. The full text of this statement can be read in the press section below.

• The threat actor accessed patient data including patient images. In the latest communication released by the ALPHV, the threat actor has released patient photos. It has threatened that it will release more pictures and other data if the ransom demand is not fulfilled.

• Lehigh Valley Health Network has not made any ransom payments. This could have been the trigger for the release of patient data and images.

• It does appear that the time given by ALPHV to Lehigh Valley Health Network may have ended because the original attack was detected on 6th February. This could be one of the reasons for the current action initiated by the Black Cat ransomware group. The threat actor wants to corner the Lehigh Valley Health Network by releasing patient images and photos online.

• In its statement, the ALPHV group has confirmed that it had extended access to the Lehigh Valley Health Network data and has exhaustive data of the healthcare group and its patients.

• Lehigh Valley Health Network website is showing an error as we write this. The site throws a 403 forbidden page error.

• It is unclear if healthcare operations have been impacted by the latest escalation of threat execution by the ransomware operator.

• In our experience, the current action initiated by ALPHV reflects a break in negotiations between the Lehigh Valley Health Network and ALPHV.

The entire Lehigh Valley Health Network comprises multiple healthcare facilities that include the following

• LV Reilly Children’s Hospital
• LV Topper Cancer Institute
• LV Heart and Vascular Institute
• LV Orthopedic Institute
• LV Institute for Surgical Excellence
• LV Fleming Neuroscience Institute

The extent of data encryption and data breach is not confirmed yet as the Lehigh Valley Health Network is engaged in auditing the attack with third-party cyber security analysts.

On a similar basis, it is not confirmed if the impact of this cyber incident is limited or affects all the healthcare facilities of Lehigh Valley Health Network.

Restoring data after a ransomware attack is an exceptionally long process and a tedious one.

Press statement released by Lehigh Valley Health Network on 20.02.23:

Lehigh Valley Health Network (LVHN) has been the target of a cybersecurity attack by a ransomware gang, known as BlackCat, which has been associated with Russia. As of today, the attack has not disrupted LVHN’s operations. Based on our initial analysis, the attack was on the network supporting one physician practice located in Lackawanna County. We take this very seriously and protecting the data security and privacy of our patients, physicians and staff is critical.

“On February 6, LVHN detected unauthorized activity within our IT system. Our Technology team identified the unauthorized activity, and we immediately launched an investigation, engaged leading cybersecurity firms and experts, and notified law enforcement. We are continuing to work with our experts to investigate the scope of the incident and as of today, we continue to operate normally.

“Although our investigation is ongoing, as of today, our initial analysis shows that the incident involved a computer system used for clinically appropriate patient images for radiation oncology treatment and other sensitive information. BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. We understand that BlackCat has targeted other organizations in the academic and healthcare sectors.

“We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident.”

About ALPHV ransomware group

ALPHV or the Black Cat ransomware threat actor is based in Russia. It has the skills to exploit vulnerabilities to access the target networks and encrypt the data of the companies and healthcare providers. The primary goal is to ask for ransom money to share the decryptor keys for the target’s data.

The ransomware group uses malware to

The data is encrypted using the AES key. The key is further encrypted using an RSA public key.