Lehigh Valley Health Network has agreed to a $65 million settlement following a class-action lawsuit over a 2023 data breach that exposed sensitive patient information, including personal and medical data and images.
Pennsylvania-based Lehigh Valley Health Network (LVHN) has agreed to a $65 million settlement in a class-action lawsuit stemming from a 2023 data breach. The healthcare provider first disclosed the breach in February 2023, revealing that the attackers had infiltrated its network as early as January. By early February, ransomware was deployed, and sensitive patient data, primarily from Lehigh Valley Physician Group (LVPG)—Delta Medix, was stolen.
LVHN notified affected individuals in mid-March of 202322 and later confirmed that the Alphv/BlackCat ransomware gang was responsible. The stolen data included personal details such as names, addresses, medical and treatment information, and for some, more sensitive information like Social Security numbers and banking details.
The breach also involved the theft of clinical images, including nude photos of patients taken during treatment, which the hackers later published on a dark website.
See also: HIPAA Compliant Email: The Definitive Guide
According to the court settlement document, the lawsuit alleged that LVHN “failed to adequately protect patient data” during a data breach that was publicly disclosed on February 22, 2023. LVHN has denied any wrongdoing, stating that it “denies that the Settlement Class has a viable legal claim.” However, the healthcare provider agreed to the settlement to resolve the case. The class-action suit covers individuals who received notification letters from LVHN regarding the breach.
Settlement Class Members have been placed into one or more of four “Relief Tiers,” and each will receive a payment based on their classification. An independent Special Master has overseen the allocation of the $65 million Settlement Fund. The settlement agreement states that “payments to Settlement Class Members, other than those for “Out-of-Pocket Losses” based on a Claim Form, shall be sent automatically after the Effective Date.” However, final approval from the court is still required, with a fairness hearing scheduled for November 15, 2024.
According to Security Week:
See also: Top 10 healthcare data breaches so far in 2024
The Alphv/BlackCat ransomware gang, also known as BlackCat, is a sophisticated cybercriminal group known for conducting ransomware-as-a-service (RaaS) operations. Emerging in late 2021, the group gained notoriety for using advanced and customizable ransomware written in Rust, making their attacks harder to detect and mitigate. BlackCat targets large organizations, deploying ransomware to encrypt sensitive data and demanding payment in cryptocurrency to restore access. They are also known for "double extortion" tactics, where they encrypt the data and also steal it, threatening to publish or sell the information on dark web forums if the ransom isn't paid. This approach heightens the pressure on victims to comply, as it disrupts operations and exposes sensitive information to public leaks or criminal exploitation. Their attacks often exploit vulnerabilities in an organization's security infrastructure, taking advantage of unpatched systems, weak access controls, or phishing to infiltrate networks.
Over 130,000 individuals had their sensitive information compromised in this data breach, including highly personal and confidential details. Among these, some had derogatory images of them posted online by the Alphv/BlackCat ransomware group. The public exposure of such private images violates patient confidentiality and causes emotional distress and reputational harm.
A data breach occurs when unauthorized individuals gain access to confidential, sensitive, or protected information. This can happen due to cyberattacks, such as hacking, or internal threats like employee negligence, resulting in the exposure, theft, or loss of personal data.
Ransomware is a type of malicious software that blocks access to data or systems until a ransom is paid. Cybercriminals using ransomware often threaten to delete or leak the stolen data if the payment is not made, employing tactics such as double extortion.
Settlements are typically reached after negotiations between the affected party (the defendant, usually a company) and the plaintiffs (the individuals or their legal representatives). The settlement amount is determined based on the severity of the breach, the sensitivity of the stolen data, and the number of people affected.