A $65 million settlement has been reached in a class action lawsuit against Lehigh Valley Health Network (LVHN) in Pennsylvania, related to a ransomware attack that occurred in February 2023.
Description
The breach, caused by the ALPHV/BlackCat ransomware gang [2], impacted patients undergoing radiation oncology treatment in Lackawanna County [4], with over 600 patients having their photos, including nude photographs [2] [4] [5] [6] [8], posted online [1] [2] [3] [5] [8]. Nearly 135,000 patients and employees were affected [3] [5] [8], with sensitive information such as medical records [4], treatment details [4], addresses [5], Social Security numbers [5], and financial data exposed [4]. The lawsuit alleged that LVHN’s violation of the Health Insurance Portability and Accountability Act by failing to adequately protect patient data led to the release of sensitive images. Each affected individual will receive compensation from the settlement fund [2], with payments ranging from $50 to $70,000 per class member [4], and those whose nude photos were published online receiving the maximum amount [5]. The settlement [1] [2] [3] [4] [5] [6] [7] [8], believed to be the largest of its kind in a healthcare data breach-ransomware case on a per-patient basis [1] [3], was reached in a case filed in March 2023 [3]. Pending final approval by the Lackawanna County Court of Common Pleas on November 15, the funds are expected to be distributed early next year to class members without requiring any action on their part. LVHN does not admit to wrongdoing [2]. The cyberattack [1] [5] [7] [8], disclosed in February 2023 [7], involved the hacking of a physician’s office by the ransomware gang “BlackCat.” Nearly 2,800 patients had sensitive photos stolen during the attack [7]. Affected patients have been placed into relief tiers based on the information stolen [7]. Notices have been sent to class members [7], and payments will be automatically distributed [7]. Patients can submit claims for additional expenses by November 3 [7], with a final settlement hearing scheduled for November 15 [7]. A final fairness hearing is scheduled for November 2024 to determine the settlement’s approval [4].
Conclusion
The settlement reached in the class action lawsuit against LVHN highlights the importance of cybersecurity measures in protecting sensitive patient data. The impacts of the ransomware attack on patients and employees were significant, with the exposure of personal and medical information [8]. Moving forward, healthcare organizations must prioritize data security to prevent similar breaches and protect patient privacy.
References
[1] https://www.tnonline.com/20240912/lvhn-reaches-agreement-to-pay-65m-to-settle-hacking-suit/
[2] https://healthexec.com/topics/health-it/cybersecurity/lehigh-valley-health-network-pay-65m-after-nudes-patients-leaked-online
[3] https://www.smbb.com/news-article/record-65-million-settlement-reached-between-saltz-mongeluzzi-bendesky-and-lvhn-on-behalf-of-cancer-patients-whose-nude-photos-were-hacked/
[4] https://www.lehighvalleylive.com/news/2024/09/tentative-65m-settlement-reached-with-lvhn-after-cyberattack-release-of-nude-photos.html
[5] https://www.yahoo.com/news/pa-based-health-company-reaches-091431149.html
[6] https://www.infosecurity-magazine.com/news/record-settlement-hacked-patient/
[7] https://www.wfmz.com/news/area/lehighvalley/lvhn-to-pay-65m-after-cyberattack-cancer-patients-photos-posted-on-dark-web/article_219e1d9a-7112-11ef-b70b-677dfa8b40a1.html
[8] https://www.insurancejournal.com/news/east/2024/09/12/792600.htm