Pennsylvania Agency to Pay $65M for Most cancers Affected person Photograph Hack

A Pennsylvania-based healthcare system, hacked by ransomware group BlackCat in 2023 and extorted over stolen exam photos of breast cancer patients posted on a data leak site, has agreed to pay $65 million in a proposed settlement of a class action lawsuit affecting 134,000 patients and employees.

See Also: How Healthcare Can Stay Ahead of Ransomware Attacks

Pictures leaked by the felony gang included screenshots of affected person diagnoses and footage of breast most cancers sufferers disrobed from the waist up throughout medical exams (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).

The cyberattack by the Russian ransomware group BlackCat in February 2023 hit Lackawanna County-based Delta Medix Group, a doctor observe that’s a part of the Lehigh Valley Well being Community.

On the time, Lehigh Valley Well being Community mentioned the incident had not precipitated any disruption to the healthcare group’s methods (see: Pennsylvania Health System CEO Confirms BlackCat Attack).

In an announcement to Data Safety Media Group on Monday, Lehigh Valley Well being Community mentioned it employed cybersecurity corporations to research the assault and notified legislation enforcement.

“BlackCat demanded a ransom, however LVHN refused to pay this felony enterprise,” the assertion mentioned, including that the healthcare system is constant “to reinforce our defenses to forestall incidents sooner or later.”

Below the preliminary settlement, Lehigh Valley Well being Community has agreed to pay 4 tiers of affected class members. These embody $50 to every particular person whose medical data had been accessed within the cyberattack; $1,000 to people whose info was posted on the web; $7,500 to any affected person who had “non-nude” images posted on the darkish net; and $70,000 to $80,000 to any affected person who had “nude images” posted on the darkish net.

The unidentified lead plaintiff, “Jane Doe,” is slated to obtain $125,000 in damages.

Attorneys representing the plaintiffs will obtain $21.5 million, or one-third of the proposed settlement quantity.

The lawsuit was initially filed in March 2023 in Lackawanna County Courtroom, Pennsylvania. The case was then transferred to a Pennsylvania federal court docket however later despatched again to the county court docket.

The case stays pending in Lackawanna County Courtroom, and a remaining approval listening to of the proposed settlement is scheduled for Nov. 15 (see: Breast Cancer Patients Sue Over Breached Exam Photos, Data).

Below the proposed settlement, class members will obtain separate written discover containing further details about the settlement, Lehigh Valley Well being Community mentioned.

Regulation agency Saltz Mongeluzzi Bendesky, which represented plaintiffs within the litigation in opposition to LVHN, said the proposed LVHN settlement “is likely to be the biggest class-action settlement per-capita within the nation.”

“The $125,000 award to the lead plaintiff is critical,” mentioned regulatory legal professional Paul Hales of the Hales Regulation Group, which isn’t concerned within the LVHN litigation. “It’s 20 occasions increased than the everyday quantity lead plaintiffs obtain. The publication of her nude images little question influenced that quantity,” he mentioned.

“The fast settlement underscores the development of healthcare suppliers settling rapidly to keep away from ongoing embarrassment and restrict their monetary prices,” Hales mentioned.

Legal professional Steven Teppler, chief cybersecurity authorized officer at legislation agency Mandelbaum Barrett PC, who is just not concerned within the LVHN lawsuit, mentioned he thinks the lead plaintiff “may – repeat, may – have executed higher in a non-class setting” when it comes to fee. “I additionally assume payout tiers akin to these will turn out to be extra frequent – and may have increased per-class member payouts.”

Hales mentioned the underlying LVHN information breach exposes “a power vulnerability” of enormous healthcare organizations which have a number of areas. “They’ve issue conducting enterprisewide danger analyses and implementing efficient danger administration. Defending the privateness and safety of protected well being info requires way more consideration from boards of administrators and senior administration.”

Teppler mentioned the proposed settlement within the LVHN case is a part of an rising development. “We’re starting to see extra examples of precise hurt and compensation for precise hurt,” he mentioned.

“Now greater than ever, this speaks to the necessity for each acted-upon danger assessments and sufficient cybersecurity insurance coverage,” Teppler mentioned. “Remember that the previous is often a necessity for acquiring the latter.”