Lehigh Valley Health to Pay $65M After Ransomware Attack Exposed Patient Photos

Lehigh Valley Health Network will pay $65M after settling a class action lawsuit stemming from a ransomware attack in 2023. The attack resulted in the publishing of partially nude photos of breast cancer patients on the dark web.

The Ransomware Attack

Lehigh Valley Health Network (LVHN) operates 13 hospitals and multiple clinics and physician practices in Pennsylvania. On February 6^th, 2023, the Russian-based ransomware group BlackCat, (aka ALPHV) hit one of the network’s physician practices. BlackCat is also responsible for the massive Change Healthcare cyberattack in February 2024.

The attack compromised a computer system that stored images for radiation oncology treatment and other sensitive information, including photos of cancer patients in the nude. LVHN refused to pay the ransom and BlackCat began publishing the photos on the dark web. Other patient data was stolen, including social security numbers and Protected Health Information (PHI) .

The Lawsuit and Settlement

An unidentified plaintiff filed the lawsuit after being told over the phone that the hackers posted nude images of her taken during radiation treatment. The lawsuit alleged LVHN failed to properly secure and safeguard the private and sensitive information it collected, maintained, stored, analyzed, and used in its ordinary course of business. As a result of the breach, the victims suffered the embarrassment of having their photos published online as well as the expense and time commitments of mitigating the potential financial impact of their information being compromised.

LVHN settled the case by agreeing to pay $65 million to the approximately 135,000 patients and employees who are class members in this class action case.

The class members have been broken down into four relief tiers that will receive different compensation amounts. The relief tiers are:

Relief Tier One: All members whose medical records were accessed in the cyber-attack are eligible to receive $50.

Relief Tier Two: Class members whose sensitive medical diagnosis information and/or sensitive employment data were published on the dark web are eligible to receive $1,000.

Relief Tier Three: Class members whose images were published on the dark web by BlackCat, but do not qualify as nude are eligible to receive $7,500.

Relief Tier Four: Class members whose nude images were published on the dark web by BlackCat. The settlement doesn’t specify an award amount, but it does layout procedures for distributing checks to class members in Relief Tier Four that are either less or greater than $50,000.

Class members have until November 3^rd, 2024 to submit a claim form.

Risks Beyond HIPAA Enforcements

Data breaches in the healthcare sector resulting from ransomware and other cyber-attacks can lead to fines from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for HIPAA violations. The larger financial risk is from class action lawsuits, like the Lehigh Valley Health case. Other examples of multimillion-dollar settlements include:

• MGC Health paying $8.8 million
• CorrectCare Integrated Health settling for $6.49 million
• Med-Data agreeing to a $7 million settlement

Foreign Ransomware Groups have their Sights Set on Healthcare

The healthcare industry has been and will continue to be a top target for foreign ransomware groups like BlackCat and Black Basta.

To better prevent and respond to ransomware or other cyber-attacks, organizations should take the following actions:

• Install updates for operating systems, software, and firmware as soon as they are released
• Require phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize and report phishing attempts
• Secure remote access software
• Make backups of critical systems and device configurations
• Carefully vet and monitor third-party vendors that have access to your data
• Proactively monitor systems and networks to detect unusual activities faster
• Develop and test a response plan

To learn more about ransomware and its impact on healthcare, listen to these episodes of Compliance Pointers:

• Geopolitical Ransomware – The Growing Threat and Defense Strategies
• Change Healthcare – The Impact and the Lessons Learned

CompliancePoint has a suite of cybersecurity services designed for healthcare organizations. We can also help organizations achieve HIPAA compliance and HITRUST certification. To learn more about our services, contact us today at connect@compliancepoint.com.