Lehigh Valley Health Network (LVHN) has agreed to a $65 million settlement in a class-action lawsuit following a massive data breach in 2023. The breach led to the leak of personal data of approximately 134,000 patients and employees, including nude images of 600 cancer patients, which were posted online by the Russian ransomware group BlackCat.
The data breach occurred in February 2023, when the ransomware group hacked into LVHN's systems. The group demanded a ransom, which LVHN refused to pay. As a result, the hackers posted the stolen data, including the nude images, on the dark web. The lawsuit was filed in March 2023, and the proposed settlement was announced on Wednesday (September 11).
Under the terms of the settlement, all plaintiffs will receive at least $50. However, the cancer patients whose nude images were posted online will each receive between $70,000 and $80,000 in compensation. They will also share in a pot of money that will be allocated to those whose diagnostic information was revealed, receiving an additional $1,000 per victim.
Despite the settlement, LVHN denies any wrongdoing. In a statement, the hospital network said that patient, physician, and staff privacy is among its top priorities, and it continues to enhance its defenses to prevent future incidents. The settlement is expected to be distributed early next year if approved by the court.
This incident marks the second time LVHN has been the victim of a ransomware attack. In July 2022, the medical group confirmed a similar attack that affected 75,628 patients. The recent settlement is believed to be the largest of its kind on a per-patient basis in a healthcare data breach ransomware case.