Hospital system to pay $65 million for dark web data leak, including images of nude cancer patients

Siva Ramakrishnan
A Pennsylvania-based hospital network has agreed to a $65 million settlement in a class action suit tied to a massive data leak, including the publication of images of 600 nude cancer patients.

A Pennsylvania-based hospital network has agreed to a $65 million settlement in a class action suit tied to a massive data leak, including the publication of images of 600 nude cancer patients.

The lawsuit, filed in March 2023, followed the discovery that Lehigh Valley Health Network’s (LVHN) data security allowed a hacker to break into its systems and obtain personal data on at least 134,000 people, including the cancer patients. The proposed settlement was announced by plaintiffs’ lawyer Patrick Howard on Wednesday afternoon.

The nude images and other data were posted to the dark web by the Russian ransomware group BlackCat after LVHN declined to pay the ransom, Howard said in an interview with Recorded Future News.

Howard would not specify how much in ransom the cybercriminals demanded, due to confidentiality requirements pertaining to some details in the case, but local news reports from the time cited court filings putting it at more than $5 million.

There have been bigger financial settlements in other class-action lawsuit settlements, but Howard said the proposed LVHN settlement is likely the largest ever U.S. class action settlement in terms of dollars received per plaintiff.

All plaintiffs are receiving at least $50, but the cancer patients whose breasts or genitals were posted will each get $70,000 to $80,000 in compensation, Howard said. They also will share in a pot of money that will be allocated to those whose diagnostic information was revealed, receiving an additional $1,000 per victim. 

LVHN confirmed Thursday that it has “tentatively resolved” the lawsuit tied to the 2023 hack.

“The attack was limited to the network supporting one physician practice located in Lackawanna County,” the spokesperson said in a statement.

After LVHN discovered the hack the spokesperson said it immediately began investigating, alerted law enforcement and hired top cybersecurity experts to help it address the incident.

After investigating, the spokesperson said LVHN notified impacted customers.

“BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise,” the statement said. “Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.” 

The incident occurred at a Scranton cancer treatment facility which LVHN had recently acquired, Howard said.

Howard said he was able to obtain copies of what BlackCat published to use in the lawsuit.

“The hacker had just made it publicly available — it wasn’t subject to any sort of paywall or negotiation to get at,” Howard said. “It was just right there.” 

In addition to names and home addresses, some victims’, including some whose nude images or medical diagnoses were revealed, had their Social Security numbers posted.

In a letter sent to the judge in the case shortly after the lawsuit was filed, Howard expressed outrage at the violations.

“Every day this case remains unresolved is another day that nude images of … class members remain available for download from the dark web,” Howard wrote in the letter. “Indeed, the hackers have indexed the data and it can be searched using patient and/or employee names.” 

The case was in litigation for over a year, Howard said.

He praised the hospital network for agreeing to the proposed settlement, saying that “at the end of the day, they recognized that they needed to make right by these people.”

LVHN agreed in May to combine with Philadelphia-area health network Jefferson.

CybercrimeIndustryNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

US sanctions Cambodian tycoon for alleged human trafficking to cyber scam centers

Next Post

New but ‘immature’ ransomware group CosmicBeetle targets small businesses

Related Posts

Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology. The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with
Avatar
Read More

New “Raptor Train” IoT Botnet Compromises Over 200,000 Devices Worldwide

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,
Avatar
Read More