Healthcare giant settles patient data theft case for $65M

The US healthcare giant will pay $65 million to settle a class action lawsuit brought by its patients after ransomware hackers stole their data – including their nude photos – and published at least some of them online.

Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, discovered an IT breach on February 6, 2023 and later named the infamous group ALPHV aka BlackCat for that attack.

Whoever was responsible, gigabytes of data detailing 134,000 patients and staff were stolen by hackers. Names, addresses, Social Security numbers, and national ID information were stolen, as were medical records and surgical images. A ransom was sought to prevent the content from being published online.

According to the case [PDF] filed against LVHN the following month, the medical team was taking nude pictures of cancer patients – in some cases without their knowledge.

When the hospital refused to pay BlackCat’s ransom to ensure the stolen data was not released, malicious hackers posted the material online – and LVHN’s customers were left angry.

“While LVHN brags about standing up to these criminals and refusing to meet their ransom demands, they willfully and willfully ignore the real victims,” ​​the lawsuit says. “Instead of working in the best interests of their patients, LVHN puts its own financial interests first.”

LVHN announced the attack publicly on February 20 of that year, and said its scope was limited.

On March 4, the ALPHV gang posted a warning on its website threatening to distribute the stolen images online unless LVHN paid up. The medical team refused, so the hackers proceeded to upload the stolen material to their dark web site – including photos containing personal information.

Court documents recount how the unnamed plaintiff was called by the hospital’s vice president on March 6, with news that her nude photos were now online, before giving — “with a laugh ” – two years of credit monitoring services. The Jane Doe plaintiff responded that she did not know the hospital had taken nude photos of her during breast cancer treatment, nor that it was storing them on commercial servers.

When LVHN notified customers and employees of the privacy breach, ALPHV stepped up the pressure, leaking another 132GB of material online on March 10 and threatening to reveal more every week until the ransom was paid.

Court documents do not say whether the ransom was ever paid, and neither LVHN nor the lawyers involved responded to our inquiries.

The plaintiff’s lawyers argued that the hospital failed in its duty to protect information. Additionally, its actions were deemed to be in violation of the American Health Insurance Portability and Accountability Act.

The health care group, while agreeing to the terms of the settlement, denied any wrongdoing.

LVHN has experience in this area. Back in July 2022, the medical group confirmed that it had been the victim of a similar ransomware attack that affected 75,628 patients. It seems that adequate precautions were not taken to stop the recurrence – which is unusual since the medical field is the main target of ransom scumbags.

The plaintiff’s law firm, Saltz Mongeluzzi Bendesky, said the settlement is “the largest of its kind, on a per-patient basis, in a health care procurement case.” Those whose information is entered online are divided into four categories, the lowest of which will receive $ 50 each due to the fact that their medical records have been accessed. The highest profile – those whose nude photos appeared online – will get between $70,000 and $80,000 – after lawyers take a cut. ®