Lehigh Valley Health Network has recently agreed to a $65 million settlement in a class action lawsuit stemming from a ransomware attack in 2023 that exposed personal and medical information, including nude photos of patients. This settlement, according to the Saltz Mongeluzzi Bendesky law firm, is the largest of its kind on a per-patient basis in cases involving healthcare data breaches and ransomware.
The incident began when hackers targeted the healthcare organization, demanding an undisclosed ransom amount. Despite the pressure, Lehigh Valley Health Network made the controversial decision not to pay the ransom, leading to the exposure of sensitive information. Plaintiffs argued that this choice reflected the organization’s prioritization of financial interests over the well-being of its patients.
A lawsuit was subsequently filed on behalf of approximately 135,000 patients and staff affected by the breach. Allegations surfaced that over 600 individuals had their personal medical record photos compromised and shared online, with some particularly egregious cases involving breast cancer patients. The hackers had threatened to release the images publicly if their demands were not met, putting the affected individuals at risk of long-term harm.
Lehigh Valley Health Network’s response to the cyber attack aligned with FBI recommendations advising against paying ransoms to hackers. The investigation identified the cyber-hackers responsible for the breach as ALPHV, also known as BlackCat, a group known for targeting academic and healthcare institutions for financial gain. CEO Brian A. Nester revealed that a physician practice in Lackawanna County appeared to be the primary target of the attack.
The lawsuit highlighted the organization’s alleged negligence in adequately protecting confidential information, especially in an industry as frequently targeted by cybercriminals as healthcare. The Court of Common Pleas has scheduled a final fairness hearing for November 15, 2024, to determine the approval of the settlement. If approved, funds will be disbursed to eligible individuals without requiring further action on their part.
Overall, the Lehigh Valley Health Network cyber attack and subsequent settlement underscore the increasing threat of ransomware attacks on sensitive data and the need for robust cybersecurity measures in safeguarding personal and medical information. The repercussions of such breaches can be severe, not only in financial terms but also in the lasting impact on individuals whose privacy is violated.