LVHN reaches agreement to pay $65M to settle hacking suit
Lehigh Valley Health Network has tentatively reached an agreement to pay $65 million on behalf of cancer patients whose nude photos were hacked.
Class-action attorneys at Saltz Mongeluzzi Bendesky filed the case in March 2023, on behalf of nearly 135,000 patients and employees of the health system, more than 600 of whom had their personal medical-record photos hacked and posted on the internet, the firm said in a release Wednesday. The suit was filed in Lackawanna County Court.
“Lehigh Valley Health Network has tentatively resolved a class action pertaining to the 2023 cybersecurity attack by a Russian ransomware gang known as BlackCat,” the health network said in a statement.
“The attack was limited to the network supporting one physician practice located in Lackawanna County,” the network said. Class members will receive separate written notice with additional information about the settlement.
“During our response in 2023, LVHN identified the unauthorized activity, immediately launched an investigation, engaged leading cybersecurity firms and experts, and notified law enforcement. After investigating, we provided notices to individuals whose information was involve,” LVHN said. BlackCat demanded a ransom payment, but LVHN said it refused to pay this criminal enterprise.
The settlement is believed to be the largest of its kind, on a per-patient basis, in a health care data breach-ransomware case, the law firm said.
The mediated settlement was reached under the guidance of a mediator.
The court has scheduled a Nov. 15 final fairness hearing to determine if the settlement should receive final approval. If approved, the settlement funds are expected to be distributed early next year. Those who have been notified they are in the class are not required to take any action to receive compensation. Every settlement class member, under the agreement, will receive payment, ranging from $50 to $70,000; those receiving the maximum had their hacked nude photos published online.
“Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future,” LVHN concluded in its statement.