In a recent court filing, attorneys on behalf of victims of a devastating ransomware attack in February 2023 have been awarded a settlement of $65 million after hackers uploaded nude photos of cancer patients on the internet.
This settlement is the most significant of its kind in terms of per-patient compensation that has ever been achieved by a law firm on behalf of the plaintiffs, Saltz Mongeluzzi Bendesky.
Earlier this month, a major healthcare company in Pennsylvania, Lehigh Valley Health Network (LVHN), one of the nation's largest primary care groups, settled with the federal government for $65 million after the data of nearly 135,000 patients and employees were compromised.
An unidentified woman in her 50s who goes by the name Jane Doe has become the first plaintiff in a class action lawsuit against Lehigh Valley Healthcare for allegedly failing to safeguard confidential patient information, including nude photos of hundreds of cancer patients, which led to an investigation by the FBI.
It was announced by a law firm on Sept. 12, that Lehigh University had settled with the antitrust enforcement agency of $65 million.
This episode sheds light on the growing threat of cyberthieves infiltrating American healthcare firms with alarming frequency, how these thieves exploit competitively valuable personal information as well as the consequences for individuals and institutions.
A report recently reviewed a list of cases compiled by the Department of Health and Human Services going back to the year 2022 and found almost a dozen breaches that compromised the personally identifiable health information of hundreds of Americans almost every single month. As a result of an investigation by the FBI's Internet Crime Complaint Center, more reported ransomware attacks against targets in the health-care industry last year compared to any other sector it monitors, including six others.
In addition to explaining the legal predicaments for healthcare organizations that are increasingly targeted by cybercriminals, the Lehigh Valley case highlights the legal risks healthcare organizations may face in dealing with cybercriminals as well as complaints brought by patients whose lives have been ruined by a breach.
More than 600 of these patients had their medical records hacked, resulting in the theft and publication of images from those records, including photos of themselves in nude.
This Settlement settlement consists of a payment ranging from $50 to $70,000 for each Settlement Class member, with the maximum payment going to those who had their nude photos published online as part of the settlement. A distribution of the money is estimated to be made in the early part of next year by the attorneys.
A data breach occurred according to the lawsuit on February 6, 2023, and the lawsuit claims that the breach exposed personally identifiable information and protected health information, including an individual's address, an email address, a social security number, a passport number, a driver's license number/state identification number, their health insurance provider, their medical diagnosis and treatment information, their medications, their lab results, and their nude photographs.
There was an incident of data breaches that were later revealed as the work of the cyber-hacker group ALPHV, or BlackCat in the case of the computer virus. ALPHV gained notoriety after one of its cyberattacks was identified against an academic institution and a healthcare establishment.
Dark web authorities have reported that about 132 gigabytes of information have been uploaded to the site.
If LHVN had not paid the ransom demanded by the hackers, the data breach would have resulted in the release of sensitive information to the public. The corporation LVHN did not pay the ransom despite knowing about it, but the images were released after the payment was made.
According to the lawsuit, LVHN has put its own "financial interests" above the best interest of its patient's health to achieve financial success.
Accordingly, the lawsuit can be argued that the class, including a plaintiff identified as only Jane Doe in the lawsuit, has suffered embarrassment and humiliation as a result of this action.
It has also been revealed that Doe will receive a larger portion of the settlement money than the rest of the class, according to Saltz Mongeluzzi Bendesky, the law firm that represents the class. A health system executive called patients to inform them of the breach after they discovered it in February 2023. The executive said that hackers had posted their personal information on the dark web - including nude photos - and that it was not accessible through conventional search engines like Google - which is a collection of hidden websites.
It is the description of the executive who apologized for the behaviour of the woman in her 50s, along with the offer of two years of credit monitoring, which the woman accepted with a chuckle. In the lawsuit, the cancer patient says that she was completely in disbelief that the health system had stored nude photos of her on its computer network. She was in complete disbelief at the time of the incident.
Approximately 135,000 patients, health-system employees, and others involved in the breach will receive a payout as part of the proposed settlement, which still requires a judge's approval. However, according to the agreement, there will be 80 per cent of the settlement money earmarked for the victims whose nude photos were published on the dark web to compensate them.
It is estimated that roughly 600 men and women fall into this category, and each will receive at least $75,000, says Howard. There is a possibility that Jane Doe, as the lead plaintiff, can receive $125,000 as a settlement.