Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed medical and personal information, leading to a legal battle that has now reached this settlement.
In February 2023, LVHN based in Pennsylvania announced that it encountered a Blackcat ransomware attack. The breach was detected on February 6, 2023, and impacted a system that supported a physician practice in Lackawanna County. This system was used to keep patient images for radiation oncology treatments, which included sensitive photos. The ransomware group demanded a ransom payment from LVHN, threatening to publish the stolen data if no payment was made. When LVHN refused to pay the ransom, the attackers exposed the photos of breast cancer patients, which showed them partially nude, in an attempt to pressure the organization to pay.
The release of the stolen data online by the ransomware group triggered legal action. Simon B. Paris and Patrick Howard, attorneys from the law agency Saltz, Mongeluzzi, & Bendesky, P.C. filed a lawsuit in March 2023. The case was filed on behalf of Jane Doe and other similarly affected individuals whose personal data and medical photographs were stolen and exposed. The lawsuit alleged that many patients were unaware that their photos had been taken and stored on the network, and it argued that LVHN failed to implement sufficient security measures to protect this highly sensitive information. The lawsuit criticized LVHN for refusing to pay the ransom, claiming the organization did not prioritize the well-being of its patients.
LVHN, while denying any wrongdoing, agreed to settle the lawsuit to avoid the unpredictability of a jury trial. The settlement still requires court approval. If finalized, the plaintiffs’ attorneys will get approximately 33% of the total settlement or $21.5 million. The remaining funds will be distributed to affected plaintiffs and class members after deducting legal costs.
To ensure privacy, a unique identifier is assigned to each plaintiff and class member. The identifier allows them to privately view the relief tiers and estimate the compensation they are eligible to receive. There are four relief tiers:
Tier 1: $7,150,000 (11% of the settlement) will be allocated to individuals impacted by the data breach. Each affected person will receive approximately $50. Individuals can submit claims for reimbursement of recorded out-of-pocket expenditures, up to $5,000. If the total claims exceed $500,000, payments will be made on a pro-rata basis.
Tier 2: $1,300,000 (2% of the settlement) will be shared among individuals whose stolen data was posted online. The estimated award is $1,000 per person.
Tier 3: $4,550,000 (7% of the settlement) will be shared among individuals whose non-nude photographs were posted on the dark web. The expected award is $7,500 per person.
Tier 4: $52,000,000 (80% of the settlement will be awarded to individuals whose nude photographs were posted online. The estimated compensation is $70,000 to $80,000 each.
Patrick Howard, a partner at Saltz, Mongeluzzi, & Bendesky, stated that this settlement may be the biggest data breach settlement in U.S. history on a per capita basis. He also praised the fact that class members will automatically receive their compensation without needing to file a claim, which is unusual in data breach settlements. Thanks to LVHN’s cooperation, all 134,000 individuals only need to wait to get a check.
Class members have until October 21, 2024, to object to or opt out of the settlement. A claim for out-of-pocket expenses must be submitted on or before November 3, 2024. The schedule of the final approval hearing is on November 15, 2024. If the court approves the settlement, everyone will get a check for their share of the settlement depending on their designated tier.