Pennsylvania's Lehigh Valley Health Network To Pay $65M After Hackers Post Nude Photos Of Cancer Patients Online

Lehigh Valley Health Network, a Pennsylvania healthcare system, has agreed to pay a $65 million settlement to victims of a February 2023 ransomware attack. Hackers had exposed sensitive medical information, including nude photos of cancer patients, leading to significant emotional distress and privacy violations.

According to Saltz Mongeluzzi Bendesky, the law firm representing the victims, the $65 million settlement is the largest per-patient compensation for those affected by a cyberattack.

Cyberattacks On Healthcare: A Growing Threat

Healthcare cyber experts told CNN that the $65 million settlement, pending judicial approval, is a stark warning to other large US healthcare providers. The incident underscores the immense value of sensitive patient data to both hackers and patients.

Eighty percent of the settlement is earmarked for victims whose nude photos were leaked online. Carter Groome, chief executive of cybersecurity firm First Health Advisory, said the settlement "shifts the legal, insurance and adversarial ecosystem."

"If you're protecting health data as a crown jewel — as you should be — images or photos are going to need another level of compartmentalised protection," Groome added. According to Groome, it is a cycle where hackers actively target the most sensitive patient data and healthcare providers are incentivised to settle claims out of court to mitigate ongoing reputational damage.

A lawsuit alleges that a cybercriminal gang stole nude photos of cancer patients from Lehigh Valley Health Network, a healthcare system with 15 hospitals and health centres in eastern Pennsylvania. Last year, the hackers demanded a ransom payment, and when Lehigh refused to comply, they leaked the sensitive medical information online.

The lawsuit has been filed on behalf of a Pennsylvania woman and others whose nude photos were publicly disclosed online. The plaintiffs argue that Lehigh Valley Health Network should be held accountable for the significant embarrassment and humiliation caused to them.

Ransomware Attack On Lehigh Valley Health Network

"Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defences to prevent incidents in the future," Lehigh Valley Health Network said in a statement to CNN on Monday.

A ransomware attack in February disrupted a major health insurance billing firm, resulting in billions of dollars being withheld from healthcare providers and pushing some clinics to the brink of financial collapse.

Multiple nurses at the affected hospitals said a ransomware attack on one of America's largest hospital chains in May compromised patient safety. The attack forced nurses to input prescription information manually.

A 2023 report revealed that cybercriminals select victims opportunistically rather than targeting specific individuals. Despite the increasing threat of cyberattacks, the healthcare sector has been slow to strengthen its defences, according to many patients and healthcare practitioners.

In response, Biden administration officials have pledged to implement mandatory cybersecurity requirements for US hospitals, which could gradually enhance their defences. Some experts believe that litigation can create significant pressure on healthcare organisations to protect patient data, but not always in a positive way.

"Other organisations will look at this case and say, well, maybe if I do pay $5 or $10 million in ransom, maybe I won't have to face a class-action lawsuit," Groome said.

Max Henderson, an assistant vice president at the security firm Pondurance with extensive experience responding to healthcare-focused cyberattacks, warns that many healthcare organisations are underinsured and could face bankruptcy if they were to experience a ransomware attack similar to the one that targeted Lehigh Valley Health Network.

Henderson notes that a full-scale ransomware attack on a healthcare provider can incur significant costs beyond potential lawsuits, including rebuilding computer systems and retaining legal counsel.