Lehigh Valley Health Network Data Breach Lawsuit Settled for $65 Million
A $65 million settlement has been agreed to resolve a class action data breach lawsuit against Lehigh Valley Health Network (LVHN) that will see plaintiffs compensated for having nude photographs and other sensitive data stolen and published on the dark web.
In February 2023, LVHN in Pennsylvania confirmed it had fallen victim to a Blackcat ransomware attack. The attack was detected on February 6, 2023, and affected a network that supported a Lackawanna County physician practice, which included a system used to store clinically appropriate patient images for radiation oncology treatment. The Blackcat ransomware group demanded a ransom payment to prevent the publication of the stolen data on its data leak site, then started to release images of breast cancer patients, naked from the waist up, to increase the pressure on LVHN to pay the ransom. LVHN refused to pay the ransom and Blackcat leaked the stolen data.
A lawsuit was filed by Simon B. Paris and Patrick Howard of the law firm Saltz, Mongeluzzi, & Bendesky, P.C. in March 2023 on behalf of plaintiff Jane Doe and other similarly situated individuals whose sensitive data and medical images were stolen and leaked online. According to the lawsuit, photographs were taken of patients, often unbeknownst to the patients themselves, and those photos were stored on the network. The lawsuit alleged there were insufficient security measures in place despite the high risk of cyberattacks and LVHV failed to act in its patients’ best interests when the ransom was not paid.
“LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the Internet where they can stay forever,” stated the plaintiff’s attorneys. “LVHN made the knowing, reckless, and willful decision to let the hackers post the nude images of Plaintiff and others on the Internet… rather than act in their patients’ best interest, LVHN put its own financial considerations first.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
LVHN denies any wrongdoing and maintains the settlement class does not have a viable legal claim; however, the decision was taken to settle the lawsuit to avoid the uncertainty of a jury trial. The settlement must be approved by the court. If agreed, the plaintiffs’ attorneys will receive around one-third of the settlement – approximately $21.5 million – and after legal costs have been covered, the plaintiffs’ and class members’ compensation will be paid.
To preserve anonymity, each plaintiff and class member has been provided with a unique identifier that will allow them to confidentially view the relief tiers and find out approximately how much they are entitled to receive.
According to the settlement website, there are four relief tiers:
| Relief Tier | Total Settlement | Qualifying Criteria | Terms |
| 1 | $7,150,000 (11%) | Affected by the data breach | To be paid to all affected individuals, with an estimated payment of $50. Claims may also be submitted for reimbursement of documented out-of-pocket expenses up to $5,000, with those claims paid pro rata if the total claims amount exceeds $500,000. |
| 2 | $1,300,000 (2%) | Had their stolen information posted online | To be paid pro rata, with an expected award of $1,000 |
| 3 | $4,550,000 (7%) | Had non-nude photographs published on the dark web | To be paid pro rata, with an expected award of $7,500 |
| 4 | $52,000,000 (80%) | Had nude photographs published on the dark web | To be paid pro rata, with an expected award of between $70,000 and $80,000 |
“We believe this is the largest data breach settlement on a per capita basis in the United States history,” Patrick Howard, partner, Saltz, Mongeluzzi, & Bendesky, told The HIPAA Journal. “We are particularly proud of the fact that class members need not do anything to get the settlement benefits. Almost all of these data breach settlements require that you make a claim to get relief. Here, all 134,000 people will get a check without doing anything. We would like to thank LVHN for its efforts in working with us to achieve this result.”
The deadline for objecting to or opting out of the settlement is October 21, 2024. If a claim is submitted for out-of-pocket expenses, the deadline is November 3, 2024. The final approval/fairness hearing is scheduled for November 15, 2024. If class members do nothing, and the settlement is approved by the court, they will receive a check for their share of the settlement based on their allocated tier.
