Lehigh Valley Health Network (LVHN) is a large hospital and healthcare system based in Pennsylvania, USA. It operates numerous hospitals, health centers, and outpatient facilities across the region, including the Lehigh Valley area. The network also includes a children’s hospital, rehabilitation centers, and partnerships with academic institutions to support medical education and research.
Lehigh Valley Health Network (LVHN) has agreed to a $65 million settlement in a class action lawsuit related to a data breach that resulted in the publication of images of 600 nude cancer patients.
The healthcare network was the target a BlackCat ransomware attack, the security breach was discovered on February 6. The company immediately launched an investigation to determine the cause and scope of the incident. The investigation determined that the breach occurred on January 8, 2023.
In a data breach notification published on its website, the company reported that affected information varied by individual but potentially included some combination of the following data elements: names, addresses, phone numbers, medical record number, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. It also added that “the information for a limited number of individuals included clinical images of patients during treatment.”
The investigation revealed that the ransomware gang had access to the personal data of at least 134,000 individuals, including cancer patients. LVHN refused to pay a ransom and the crooks published the nude images and other sensitive data on their dark web leak site.
In March 2023, a lawsuit was filed. Now Plaintiffs’ lawyer Patrick Howard of the law firm Saltz, Mongeluzzi, & Bendesky announced a proposed $65 million settlement in the lawsuit related to the Lehigh Valley Health Network data breach.
“A record $65 million settlement has been reached between class-action attorneys at Saltz Mongeluzzi Bendesky and Lehigh Valley Health Network (LVHN) in a case filed in March, 2023, on behalf of nearly 135,000 patients and employees of the health system, more than 600 of whom had their personal medical-record photos hacked and posted on the internet, according to the Firm.” reported the law firm.
“The settlement in J. Doe v. Lehigh Valley Health Network, Lackawanna County Court of Common Pleas, No. 23-CV-1149, is believed to be the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case.”
Individuals notified as part of the settlement class do not need to take any action to receive compensation. Each patient who participated to the class action will receive payments ranging from $50 to $70,000, with the highest amounts going to those whose hacked nude photos were published online.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)