A Pennsylvania-based hospital network has agreed to a $65 million settlement in a class action suit tied to a massive data leak, including the publication of images of 600 nude cancer patients.
The lawsuit, filed in March 2023, followed the discovery that Lehigh Valley Health Network’s (LVHN) data security allowed a hacker to break into its systems and obtain personal data on at least 134,000 people, including the cancer patients. The proposed settlement was announced by plaintiffs’ lawyer Patrick Howard on Wednesday afternoon.
The nude images and other data were posted to the dark web by the Russian ransomware group BlackCat after LVHN declined to pay the ransom, Howard said in an interview with Recorded Future News.
Howard would not specify how much in ransom the cybercriminals demanded, due to confidentiality requirements pertaining to some details in the case, but local news reports from the time cited court filings putting it at more than $5 million.
There have been bigger financial settlements in other class-action lawsuit settlements, but Howard said the proposed LVHN settlement is likely the largest ever U.S. class action settlement in terms of dollars received per plaintiff.
All plaintiffs are receiving at least $50, but the cancer patients whose breasts or genitals were posted will each get $70,000 to $80,000 in compensation, Howard said. They also will share in a pot of money that will be allocated to those whose diagnostic information was revealed, receiving an additional $1,000 per victim.
LVHN confirmed Thursday that it has “tentatively resolved” the lawsuit tied to the 2023 hack.
“The attack was limited to the network supporting one physician practice located in Lackawanna County,” the spokesperson said in a statement.
After LVHN discovered the hack the spokesperson said it immediately began investigating, alerted law enforcement and hired top cybersecurity experts to help it address the incident.
After investigating, the spokesperson said LVHN notified impacted customers.
“BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise,” the statement said. “Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.”
The incident occurred at a Scranton cancer treatment facility which LVHN had recently acquired, Howard said.
Howard said he was able to obtain copies of what BlackCat published to use in the lawsuit.
“The hacker had just made it publicly available — it wasn’t subject to any sort of paywall or negotiation to get at,” Howard said. “It was just right there.”
In addition to names and home addresses, some victims’, including some whose nude images or medical diagnoses were revealed, had their Social Security numbers posted.
In a letter sent to the judge in the case shortly after the lawsuit was filed, Howard expressed outrage at the violations.
“Every day this case remains unresolved is another day that nude images of … class members remain available for download from the dark web,” Howard wrote in the letter. “Indeed, the hackers have indexed the data and it can be searched using patient and/or employee names.”
The case was in litigation for over a year, Howard said.
He praised the hospital network for agreeing to the proposed settlement, saying that “at the end of the day, they recognized that they needed to make right by these people.”
LVHN agreed in May to combine with Philadelphia-area health network Jefferson.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.