Lehigh Valley Health agree $65M settlement over cyber attack.
Lehigh Valley Health Network has reached a settlement of $65 million in a class action lawsuit involving patients and employees impacted by a ransomware attack in 2023, which exposed personal and medical information, including nude photos of patients.
Saltz Mongeluzzi Bendesky law firm stated that the settlement is considered to be the largest of its kind, on a per-patient basis, in cases involving healthcare data breaches and ransomware.
Lehigh Valley Health Network refused to to pay the undisclosed amount of ransom demanded by the hackers, which the plaintiffs contended showed that the healthcare organization prioritized its financial interests over the concerns of patients.
in March 2023, a lawsuit was filed on behalf around 135,000 patients and staff from the health system. The attorneys stated that over 600 individuals had their personal medical record photos compromised and shared online. The hacker group released private images of breast cancer patients on their data leak site, which included not only medical questionnaires and passports but also other sensitive information like driver’s license numbers, Social Security numbers, medical diagnoses, treatment details, and lab results.
The complaint said that “Lehigh Valley Health Network was told by the hackers that they had these images and if Lehigh Valley Health Network refused to pay their ransom demand, the hackers would release these sensitive images publicly. Pennsylvania based, Lehigh Valley Health Network needed to act with serious consideration of the consequences that would befall these patients if those images were released on the internet where they can stay forever. Lehigh Valley Health Network made the knowing, reckless, and willful, decision to let the hackers post the nude images of Plaintiff and others on the internet.”
Lehigh Valley Health Network’s response is in line with advice from the FBI, which advises against paying ransoms. The investigation of the cyber attacks found that cyber-hackers, ALPHV, also known as BlackCat, were responsible for the attack.
ALPHV has gained a reputation for launching cyber attacks against academic and healthcare organizations while demanding ransom payments. CEO Brian A. Nester indicated that a physician practice located in Lackawanna County seemed to be the focal point of the attack.
The message from BlackCat read:
We have been in your network for a long time and have had time to study your business. In addition, we have stolen your confidential data and are ready to publish it. We have the data of your client base of patients, namely their passports, personal data, questionnaires, nude photos and the like. Our blog is followed by a lot of world media, the case will be widely publicized, and will cause significant damage to your business. Your time is running out. We are ready to unleash our full power on you!
The lawsuit claimed that Lehigh Valley Health Network was aware, or should have known of the serious risk and potential harm associated with a data breach, especially since the healthcare sector is the most frequently targeted sectors by cybercriminals. The lawsuit claimed that Lehigh Valley Health Network did not sufficiently protect its confidential information.
The Court of Common Pleas has set a final fairness hearing for November 15, 2024, to assess whether the settlement should be granted final approval. If the settlement is approved, attorneys said that funds should be allocated early next year. Individuals who have been informed they are in the class don’t need to take any steps to obtain compensation.