Fraud Management & Cybercrime , Healthcare , Industry Specific
Pennsylvania Firm to Pay $65M for Cancer Patient Photo Hack
Lehigh Valley Health Network Will Pay 134,000 Victims of Ransomware Attack and LeakA Pennsylvania-based healthcare system, hacked by ransomware group BlackCat in 2023 and extorted over stolen exam photos of breast cancer patients posted on a data leak site, has agreed to pay $65 million in a proposed settlement of a class action lawsuit affecting 134,000 patients and employees.
See Also: Survey: State of Security Automation in Financial Services
Images leaked by the criminal gang included screenshots of patient diagnoses and pictures of breast cancer patients disrobed from the waist up during medical exams (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
The cyberattack by the Russian ransomware group BlackCat in February 2023 hit Lackawanna County-based Delta Medix Group, a physician practice that is part of the Lehigh Valley Health Network.
At the time, Lehigh Valley Health Network said the incident had not caused any disruption to the healthcare organization's systems (see: Pennsylvania Health System CEO Confirms BlackCat Attack).
In a statement to Information Security Media Group on Monday, Lehigh Valley Health Network said it hired cybersecurity firms to investigate the attack and notified law enforcement.
"BlackCat demanded a ransom, but LVHN refused to pay this criminal enterprise," the statement said, adding that the healthcare system is continuing "to enhance our defenses to prevent incidents in the future."
Under the preliminary settlement, Lehigh Valley Health Network has agreed to pay four tiers of affected class members. These include $50 to each individual whose medical records were accessed in the cyberattack; $1,000 to individuals whose information was posted on the internet; $7,500 to any patient who had "non-nude" photos posted on the dark web; and $70,000 to $80,000 to any patient who had "nude photos" posted on the dark web.
The unidentified lead plaintiff, "Jane Doe," is slated to receive $125,000 in damages.
Attorneys representing the plaintiffs will receive $21.5 million, or one-third of the proposed settlement amount.
The lawsuit was initially filed in March 2023 in Lackawanna County Court, Pennsylvania. The case was then transferred to a Pennsylvania federal court but later sent back to the county court.
The case remains pending in Lackawanna County Court, and a final approval hearing of the proposed settlement is scheduled for Nov. 15 (see: Breast Cancer Patients Sue Over Breached Exam Photos, Data).
Under the proposed settlement, class members will receive separate written notice containing additional information about the agreement, Lehigh Valley Health Network said.
Law firm Saltz Mongeluzzi Bendesky, which represented plaintiffs in the litigation against LVHN, said the proposed LVHN settlement "might be the largest class-action settlement per-capita in the nation."
"The $125,000 award to the lead plaintiff is significant," said regulatory attorney Paul Hales of the Hales Law Group, which is not involved in the LVHN litigation. "It is 20 times higher than the typical amount lead plaintiffs receive. The publication of her nude photos no doubt influenced that amount," he said.
"The rapid settlement underscores the trend of healthcare providers settling quickly to avoid ongoing embarrassment and limit their financial costs," Hales said.
Attorney Steven Teppler, chief cybersecurity legal officer at law firm Mandelbaum Barrett PC, who is not involved in the LVHN lawsuit, said he thinks the lead plaintiff "might - repeat, might - have done better in a non-class setting" in terms of payment. "I also think payout tiers such as these will become more common - and will have higher per-class member payouts."
Hales said the underlying LVHN data breach exposes "a chronic vulnerability" of large healthcare organizations that have multiple locations. "They have difficulty conducting enterprisewide risk analyses and implementing effective risk management. Protecting the privacy and security of protected health information requires much more attention from boards of directors and senior management."
Teppler said the proposed settlement in the LVHN case is part of an emerging trend. "We are beginning to see more examples of actual harm and compensation for actual harm," he said.
"Now more than ever, this speaks to the need for both acted-upon risk assessments and adequate cybersecurity insurance," Teppler said. "Keep in mind that the former is typically a necessity for obtaining the latter."