Hospital to Pay $65M to End Suit Over Cyber Attack That Exposed Patients’ Nude Photos

Lehigh Valley Health Network has agreed to a $65 million settlement of a class action with patients and employees affected by a 2023 ransomware attack that exposed personal and medical information including nude photos of patients.

Every settlement class member is to receive payment, ranging from $50 to $70,000; with the maximum going to those had their hacked nude photos published online.

Lawyers for the class at Saltz Mongeluzzi Bendesky law firm said the settlement is believed to be the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case. They commended LVHN for its efforts in reaching the agreement.

LVHN had refused to pay the undisclosed amount of ransom demanded by the hackers, a decision the plaintiffs argued amounted to the healthcare company putting its own financial concerns before the concerns of patients.

The lawsuit was filed in March 2023 on behalf of an estimated 135,000 patients and employees of the health system, more than 600 of whom the lawyers said had their personal medical-record photos hacked and posted on the internet, according to the law firm.

Naked images of breast cancer patients were published on the hacker group’s data leak site, along with medical questionnaires, passports, and other sensitive patient data such as driver’s license numbers, Social Security numbers, medical diagnosis/treatment information, and lab results.

According to the class complaint, the February 6, 2023 data breach was “far more consequential” than most because it resulted in disclosure of more than personally identifiable information and protected health information. LVHN cancer patients receiving treatment were photographed in the nude and those images stored on LVHN’s network were stolen by the hackers as part of the data breach.

No Ransom Payment

“LVHN was told by the hackers that they had these images and if LVHN refused to pay their ransom demand, the hackers would release these sensitive images publicly. LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the internet where they can stay forever. LVHN made the knowing, reckless, and willful, decision to let the hackers post the nude images of Plaintiff and others on the internet,” the complaint alleged.

The complaint said that while LVHN was “publicly patting itself on the back for standing-up to these hackers and refusing to meet their ransom demands,” the hospital was “consciously and intentionally ignoring the real victims” and that rather than acting in their patients’ best interest, LVHN put its “own financial considerations first.”

LVHN’s response is in line with advice from the Federal Bureau of Investigation (FBI), which advises against paying ransoms. The FBI says payment encourages further attacks and does not guarantee that payment will put an end to the extortion or that stolen data will be deleted.

LVHN’s investigation of the cyber attacks found that cyber-hackers, ALPHV, also known as BlackCat, were responsible for the attack. ALPHV has become notorious for launching cyber attacks against academia and healthcare institutions and demanding ransom payments. It is believed to be associated with Russia.

LVHN President and CEO Brian A. Nester said that a Lackawanna County physician practice appeared to be the epicenter of the attack. LVHN includes 31 hospitals, 28 health centers, 20 ExpressCARE locations, and other physician practices, pharmacy, imaging, home health, rehabilitation, and lab services in 10 eastern Pennsylvania counties.

BlackCat Warning

On March 4, 2023, the hackers posted a public message to LVHN warning that if it did not meet their ransom demands they would publicly post stolen data, including nude photos of cancer patients receiving treatment. The message from BlackCat read:

We have been in your network for a long time and have had time to study your business. In addition, we have stolen your confidential data and are ready to publish it. We have the data of your client base of patients, namely their passports, personal data, questionnaires, nude photos and the like. Our blog is followed by a lot of world media, the case will be widely publicized, and will cause significant damage to your business. Your time is running out. We are ready to unleash our full power on you!

After LVHN refused the ransom demand, ALPHV posted stolen data from LVHN on the dark web. As ALPHV had warned it would do, ALPHV posted nude photographs of the lead plaintiff, who went by Jane Doe in the case, as well other cancer patients.

After LVHN continued to refuse to give into the hackers, on March 10, ALPHV uploaded additional patient data and photos and threatened to leak more every week until the ransom was paid.

Targeted Sector

The lawsuit claimed that LVHN knew or should have known of the serious risk and harm that would occur from a data breach, especially since the healthcare sector is among the most targeted by hackers. A Verizon data breach report found that the healthcare industry has been he most impacted by data breaches of any industry for 10 years in a row.

But the Pennsylvania healthcare company failed to adequately secure its confidential information, the suit alleged.

The Court of Common Pleas has scheduled a November 15, 2024, final fairness hearing to determine if the settlement should receive final approval. If approved, the lawyers said funds should be distributed early next year. Those who have been notified they are in the class are not required to take any action to receive compensation.

Topics Lawsuits Cyber