Patients at center of data breach case win $65M settlement against Lehigh Valley Health Network

From Philly and the Pa. suburbs to South Jersey and Delaware, what would you like WHYY News to cover? Let us know!

A Pennsylvania judge has cleared the way for a $65 million settlement with Lehigh Valley Health Network in a data breach case that involved stolen medical records and nude photos of cancer patients, taken during exams, posted on the dark web by a Russian cybergang.

At a hearing Friday in Lackawanna County Court, Senior Judge Thomas A. James gave final approval to a deal between the health system and members of a class-action lawsuit, first filed in 2023.

More than 134,000 affected patients will receive a settlement payment, depending on the degree to which they were affected by the breach.

“We struck the right deal,” said Patrick Howard, lead plaintiff attorney and partner at Saltz Mongeluzzi Bendesky. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”

In February 2023, leaders at Lehigh Valley Health Network issued a public notice to announce that the health system was targeted by a Russian ransomware group called BlackCat.

The cybergang hacked into a computer system that contained “patient images for radiation oncology treatment and other sensitive information,” according to the notice.

BlackCat demanded ransom, and when the health system refused to pay it, the group posted medical records, employment information and photos of patients on the dark web.

“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” Howard said. “It wasn’t lost on anyone that that was a very significant breach.”

Stolen and posted information included patient medical histories with alcohol and substance use disorders, mental health conditions, reproductive and sexual health diagnoses and more, “things that, again, we would all generally cherish as private,” Howard said.

The class-action lawsuit, filed on March 13, 2023, accused the Lehigh Valley Health System of failing to protect patient information. The health system continues to deny any wrongdoing but said the settlement “is the result of good-faith, arms-length negotiations” on a website it set up for affected patients.

“Both sides agree that, in light of the risks and expense associated with continued litigation, this settlement is fair and appropriate under the circumstances, and it is in the best interests of the settlement class,” the health system’s statement reads.

The lawsuit was led by patient “Jane Doe,” who used a pseudonym to maintain her privacy and protect her identity. As the lead plaintiff, she stands to receive $125,000 in damages.

Other class-action members will get between $50 to $80,000 each based on how their information was hacked and/or posted.

After the deal clears a final 30-day appeal window, patients should receive settlement checks in the first quarter of 2025.

“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard said. “I think this case will be talked about in health care circles for some time in best practices in storing those types of images.”