{ "id": "bb035ed6-8908-4a21-97cc-6420660fda54", "created_at": "2026-04-06T00:21:40.960934Z", "updated_at": "2026-04-10T03:29:39.888976Z", "deleted_at": null, "sha1_hash": "e54ec0447aa8895e99e977b07411a0b2060ffd35", "title": "Ransomware gang posts breast cancer patients’ clinical photographs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85323, "plain_text": "Ransomware gang posts breast cancer patients’ clinical\r\nphotographs\r\nBy Alexander Martin\r\nPublished: 2023-03-06 · Archived: 2026-04-05 13:17:59 UTC\r\nThe ALPHV ransomware group, also known as BlackCat, is attempting to extort a healthcare network in\r\nPennsylvania by publishing photographs of breast cancer patients.\r\nThese clinical images, used by Lehigh Valley Health Network as part of radiotherapy to tackle malignant cells,\r\nwere described as “nude photos” on the criminals’ site.\r\nLehigh Valley Health Network disclosed on February 20 that it had been attacked by the BlackCat gang, which it\r\ndescribed as linked to Russia, and stated that it would not pay a ransom.\r\n“Based on our initial analysis, the attack was on the network supporting one physician practice located in\r\nLackawanna County. We take this very seriously and protecting the data security and privacy of our patients,\r\nphysicians and staff is critical,” said the network’s president and chief executive, Brian Nester.\r\nNester added that the incident involved “a computer system used for clinically appropriate patient images for\r\nradiation oncology treatment and other sensitive information.”\r\nAt the time of the original statement, Nester said Lehigh Valley Health Network’s services — including a cancer\r\ninstitute and a children’s hospital — were not affected.\r\nHowever the network’s website is currently inaccessible. The Record was unable to contact the network for\r\nfurther comment following its listing on the ALPHV .onion website.\r\nOnlookers have been revolted by the attempt to leverage the sensitivities around cancer treatment and intimate\r\nimages to extort the organization.\r\nMax Smeets, an academic at ETH Zurich — a public research university — and the director of the European\r\nCyber Conflict Research Initiative, wrote: “This makes me so angry. I hope these barbarians will be held\r\naccountable for their heinous actions.”\r\n\"A new low. This is sickening,\" wrote malware analyst Ryan Chapman, while Nicholas Carroll, a cybersecurity\r\nprofessional, said the gang was “trying to set new standards in despicable.”\r\nALPHV itself celebrated the attack and the attention it brought.\r\n“Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant\r\ndamage to your business. Your time is running out. We are ready to unleash our full power on you!”\r\nhttps://therecord.media/ransomware-lehigh-valley-alphv-black-cat\r\nPage 1 of 3\n\nNumerous healthcare organizations have been attacked by ransomware gangs in recent months. The criminal\r\nindustry persists because of victims who pay, sometimes because their businesses face an existential threat, and\r\nsometimes to avoid the negative publicity.\r\nMedibank, one of Australia’s largest health insurance providers, stated last November that it would not be making\r\na ransom payment after hackers gained access to the data of 9.7 million current and former customers, including\r\n1.8 million international customers living abroad.\r\nThe information included sensitive healthcare claims data for around 480,000 individuals, including information\r\nabout drug addiction treatments and abortions. Outrage at the attack prompted the government to consider banning\r\nransomware payments in a bid to undermine the industry.\r\nBack in January, the hospital technology giant NextGen Healthcare said it was responding to a cyberattack after\r\nALPHV added the company to its list of victims.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/ransomware-lehigh-valley-alphv-black-cat\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/ransomware-lehigh-valley-alphv-black-cat\r\nhttps://therecord.media/ransomware-lehigh-valley-alphv-black-cat\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/ransomware-lehigh-valley-alphv-black-cat" ], "report_names": [ "ransomware-lehigh-valley-alphv-black-cat" ], "threat_actors": [ { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e54ec0447aa8895e99e977b07411a0b2060ffd35.pdf", "text": "https://archive.orkl.eu/e54ec0447aa8895e99e977b07411a0b2060ffd35.txt", "img": "https://archive.orkl.eu/e54ec0447aa8895e99e977b07411a0b2060ffd35.jpg" } }