Pennsylvania healthcare provider Lehigh Valley Health Network (LVHN) has reached a $65 million settlement in a class-action suit filed over a 2023 data breach.
LVHN disclosed the incident in late February 2023, revealing that the attackers had access to its network beginning early January, that ransomware was deployed in early February, and that data was stolen from its network, mainly impacting Lehigh Valley Physician Group (LVPG) – Delta Medix.
The healthcare provider started notifying the potentially affected individuals in mid-March and confirmed in July that the Alphv/BlackCat ransomware gang was responsible for the incident.
The hackers had stolen personal information such as names, addresses, phone numbers, medical and treatment information, and health insurance information. For some individuals, email addresses, driver’s license numbers, Social Security numbers, and banking information was also compromised.
Furthermore, LVHN revealed, the ransomware group stole “clinical images of patients during treatment” for a limited number of individuals.
The organization provided the affected individuals with two years of identity protection and credit monitoring services. Over 130,000 patients and employees were potentially affected by the data breach.
What LVHN did not explicitly say in its incident notice was that nude photos of patients were also stolen from its systems. In March 2023, the BlackCat ransomware gang published some of the stolen information on its Tor-based leak site, including such photos.
The class-action lawsuit was filed against LVHN in March 2023, alleging that the healthcare provider failed to protect patient data.
On September 11, 2024, the law firm Saltz Mongeluzzi Bendesky announced reaching a $65 million settlement with LVHN over the class-action lawsuit, noting that it is likely the largest settlement ever in a healthcare data breach-ransomware case.
A fairness hearing for the settlement’s final approval has been set for November 15, 2024.
Every individual who received a notification letter from LVHN is considered part of the lawsuit and should receive compensation, without having to take any action.
Should the settlement be approved, every class member will receive a payment ranging from $50 to $70,000. Only those who had their nude photos leaked will receive the maximum amount.
Related: Clearview AI Fined $33.7 Million by Dutch Data Protection Watchdog Over ‘Illegal Database’ of Faces
Related: Verkada Settles With FTC Over Poor Security Practices That Led to Camera Hacking
Related: Google to Pay Indiana $20 Million to Resolve Privacy Suit
Related: Anthem to Pay Nearly $40M Settlement Over 2015 Cyberattack