Lehigh Valley Health Network has come to a $65 million class-action lawsuit settlement stemming from a 2023 ransomware attack that led to hundreds of patients’ nude medical record photos being posted online.
The deal was announced by the plaintiffs’ legal representation Wednesday afternoon and will go before a court for final approval in November.
Approximately 135,000 of the health system’s patients and employees are included in the class, making the settlement what law firm Saltz Mongeluzzi Bendesky believes is “the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case.” More than 600 of these class members “had their personal medical-record photos hacked and posted on the internet,” the firm said.
LVHN denies any wrongdoing under the settlement but said in a statement to Fierce Healthcare that “patient, physician and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.”
The proposed settlement hands out payments to class members ranging from $50 to $70,000, with those whose nude images were posted by hackers to the Dark Web receiving the maximum amount. Eighty percent of the total proposed settlement, or $52 million, has been allocated to those individuals.
LVHN is a nonprofit that runs 13 hospitals, 28 health centers and other locations in eastern Pennsylvania (though it recently closed a $14 billion merger with nearby Jefferson Health).
The system was attacked in February 2023 by BlackCat, a ransomware group, during which nude images of cancer patients receiving treatment that were stored on LVHN’s network were compromised, according to the complaint filed in March 2023 by an anonymous “Jane Doe” class member.
In its statement, the system said that the attack was “limited to the network supporting one physician practice located in Lackawanna County,” and that it had “immediately launched an investigation, engaged leading cybersecurity firms and experts, and notified law enforcement.”
After investigating, we provided notices to individuals whose information was involved. BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise,” the system said.
That decision was critiqued by the plaintiff in her class action complaint, who noted that pictures posted online will “stay there forever.”
“Indeed, while LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims: Plaintiff and the Class,” the 2023 complaint reads. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first. LVHN must be held to account for the embarrassment and humiliation it has caused Plaintiff and the Class.”
The law firm said it expects the settlement funds to be distributed “early next year” if approved by the court. Class members who have already been notified would not need to do anything to receive their share of the settlement.