(WJET/WFXP) – Lehigh Valley Health Network (LVHN), a Pennsylvania-based healthcare company that is one of the state’s largest primary care groups, has reached a $65 million settlement after the data of approximately 135,000 patients and employees was leaked earlier this month.
Photos from the personal medical records of over 600 of these patients were hacked and posted on the internet, including nude photos.
As part of the settlement, members of the settlement class will each receive between $50,000 and $70,000, with those whose nude photos were published online receiving the highest amount. Lawyers estimate that the funds will be distributed early next year.
Has your data been exposed in a major breach?: How to know and what to do now
According to the complaint, the data breach occurred on February 6, 2023 and exposed personally identifiable information and protected health information, including one or more of the following: addresses, email addresses, Social Security numbers, passport information, driver’s license numbers/state ID numbers, health insurance carriers, medical diagnosis/treatment information, medications, lab results, and nude photographs.
The data leak was later traced to cyber hacker group ALPHV (aka BlackCat), notorious for cyber attacks against academic and medical institutions. In total, around 132 gigabytes of information and images were uploaded to the dark web.
During the data breach, hackers told LVHN that sensitive images would be made public unless they paid the ransom. Despite knowing this, LVHN did not pay the ransom and the images were subsequently made public.
The lawsuit accuses LVHN of putting its own “financial considerations” above “the best interests of its patients.”
As a result, the lawsuit alleges, the class, including the plaintiff identified only as Jane Doe, suffered embarrassment and humiliation.
Doe will also receive a larger share of the settlement, according to the law firm Saltz Mongeluzzi Bendesky, which represents the class.
“If this case had gone to trial, she would have lost her anonymity and would have had to sit in front of a packed courtroom while we showed her nude photos to the jury and judge,” attorney Patrick Howard said in a statement included in the firm’s news release. “She was taking a risk. She is obviously very sensitive to what happened here and has been very difficult emotionally. She brought the case knowing the risks, and we hope that she will be paid appropriate compensation.”
23andMe to pay $30 million settlement for 2023 breach: How much will victims get?
In a statement released by Salz Mongeluzzi Bendeski, LHVN defended its decision to refuse to pay the hackers, but said it would “continue to strengthen” its cybersecurity defences.
Allentown-based LHVN operates 15 health systems totaling 32 hospitals in eastern Pennsylvania.
