Hospital to pay $65 million to end lawsuit over cyberattack that exposed nude photos of patients

Lehigh Valley Health Network has agreed to a $65 million settlement of a class action with patients and employees affected by a 2023 ransomware attack that exposed personal and medical information, including nude photos of patients.

Each settlement class member is to receive a payment ranging from $50 to $70,000; with the maximum for those who had their pirated nude photos published online.

Class attorneys at the Saltz Mongeluzzi Bendesky law firm said the settlement is believed to be the largest of its kind on a patient basis in a ransomware healthcare data breach case. They commended LVHN for its efforts to reach an agreement.

LVHN refused to pay the undisclosed ransom amount demanded by the hackers, a decision the plaintiffs argued meant the healthcare company put its own financial concerns ahead of those of patients.

The lawsuit was filed in March 2023 on behalf of about 135,000 patients and health care employees, more than 600 of whom attorneys said had their personal medical record photos hacked and posted online, according to the law firm.

Blank images of breast cancer patients were published on the hacker group’s data leak site, along with medical questionnaires, passports and other sensitive patient data such as driver’s license numbers, social security numbers, medical diagnosis/treatment information and laboratory results.

According to the class action complaint, the February 6, 2023 data breach was “much more significant” than most because it resulted in the disclosure of more than personally identifiable information and protected health information. LVHN cancer patients receiving treatment were photographed nude, and those images stored on the LVHN network were stolen by hackers as part of the data breach.

No redemption payment

“The hackers told LVHN that they owned these images and if LVHN refused to pay their ransom demand, the hackers would publicly release these sensitive images. LVHN should have acted seriously considering the consequences to these patients if those images were released on the internet where they can remain forever. LVHN knowingly, recklessly and intentionally made the decision to let the hackers post the nude images of the plaintiff and others on the Internet,” the complaint alleges.

The complaint said that while LVHN was “publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands,” the hospital was “consciously and willfully ignoring the real victims” and that instead of acting on in front of their patients In the best interest, LVHN put “their own financial considerations first”.

LVHN’s response is in line with advice from the Federal Bureau of Investigation (FBI), which advises against paying ransoms. The FBI says that payment encourages other attacks and does not guarantee that payment will end the extortion or that the stolen data will be deleted.

LVHN’s investigation into cyber attacks found that cyber hackers, ALPHV, also known as BlackCat, were responsible for the attack. ALPHV has become notorious for launching cyber attacks against academia and medical institutions and demanding ransom payments. He is believed to be associated with Russia.

LVHN President and CEO Brian A. Nester said a doctor in Lackawanna County appeared to be the epicenter of the attack. LVHN includes 31 hospitals, 28 health centers, 20 ExpressCARE locations and other medical offices, pharmacy, imaging, home health, rehabilitation and laboratory services in 10 counties in eastern Pennsylvania.

BlackCat warning

On March 4, 2023, the hackers posted a public message to LVHN warning that if they did not meet their ransom demands, they would publicly post stolen data, including nude photos of cancer patients receiving treatment. The message from BlackCat said:

We have been in your network for a long time and have had time to study your business. Besides, we have stolen your confidential data and we are ready to publish it. We have the data of your patient customer base, i.e. passports, personal data, questionnaires, nude photos and the like. Our blog is followed by a lot of the world’s media, the case will be widely publicized and cause significant damage to your business. Your time is running out. We are ready to unleash all our power on you!

After LVHN refused the ransom demand, ALPHV posted data stolen from LVHN on the dark web. As ALPHV warned it would, ALPHV posted nude photos of the lead plaintiff, who went after Jane Doe in the case, as well as other cancer patients.

After LVHN continued to refuse to give in to the hackers, on March 10, ALPHV uploaded additional patient data and photos and threatened to leak more every week until the ransom was paid.

Target sector

The lawsuit alleged that LVHN knew or should have known of the risk and serious harm that would occur from a data breach, especially since the healthcare sector is among the most targeted by hackers. A Verizon data breach report found that the healthcare industry was the most affected by data breaches of any industry for 10 years in a row.

But the Pennsylvania healthcare company failed to adequately secure its confidential information, the suit alleged.

The Court of Common Pleas has scheduled for November 15, 2024, the final fairness hearing to determine whether the settlement should receive final approval. If approved, advocates said the funds should be distributed early next year. Those who have been notified that they are part of the class are not required to take any action to receive compensation.

TOPICS
Cyber ​​processes