(WJET/WFXP) – Pennsylvania-based health company Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, earlier this month reached a $65 million settlement after the data of nearly 135,000 patients and employees were exposed.
Of those patients, over 600 had their personal medical record photos, which included nude photographs, hacked and posted on the internet.
As part of the settlement, each Settlement Class member will receive a payment ranging from $50 to $70,000, with those who had their nude photos published online receiving the maximum. The attorneys estimate that the funds will be distributed early next year.
According to the lawsuit, the data breach occurred on February 6, 2023, exposing personally identifiable information and protected health information including one or more of the following: address, email address, Social Security number, passport information, driver’s license number/state ID number, health insurance provider, medical diagnosis/medical treatment information, medication, lab results, and nude photographs.
The data breach was later identified as the work of the cyber-hacker group ALPHV, also known as BlackCat. ALPHV has gained notoriety for cyberattacks against academia and healthcare institutions. In total, around 132 gigabytes of information and images were uploaded to the dark web.
At the time of the data breach, the hackers told LHVN that if the ransom was not paid, the sensitive images would be released publicly. Despite having this knowledge, LVHN did not pay the ransom, and the images were subsequently released.
The lawsuit accused LVHN of putting its own “financial considerations” above “their patients’ best interest.”
As a result, the lawsuit argued that the class, including a plaintiff identified as only Jane Doe, have suffered embarrassment and humiliation.
Doe will also get a larger portion of the settlement money, according to Saltz Mongeluzzi Bendesky, the law firm representing the class.
“Had the case gone to trial she would have lost her anonymity and she would have had to sit there in front of a courtroom full of people while we displayed her nude images to the jury, to the judge,” attorney Patrick Howard said, per a statement included in the firm’s news release. “She was taking a risk. She’s obviously very sensitive about what happened here and it’s been a lot emotionally for her. For her to step out and bring the lawsuit knowing that’s the risk, we wanted to see her properly compensated.”
LHVN, in a statement published by Saltz Mongeluzzi Bendesky, defended its decision to refuse payment to the hackers, but said it would “continue to enhance” its cybersecurity defenses.
LHVN, based in Allentown, operates 15 health systems with a combined 32 hospitals in eastern Pennsylvania.