A blockbuster proposed settlement has been announced involving a ransomware attack last year. The ransomware attack by BlackCat resulted in 134,000 patients of Lehigh Valley Health Network having their data accessed, exfiltrated, and in some cases, leaked online. Distressingly, the threat actors cruelly leaked nude photos of identifiable cancer patients as part of the incident. Insurance Journal reports:
Lehigh Valley Health Network has agreed to a $65 million settlement of a class action with patients and employees affected by a 2023 ransomware attack that exposed personal and medical information including nude photos of patients.
Every settlement class member is to receive payment, ranging from $50 to $70,000; with the maximum going to those had their hacked nude photos published online.
Lawyers for the class at Saltz Mongeluzzi Bendesky law firm said the settlement is believed to be the largest of its kind, on a per-patient basis, in a healthcare data breach-ransomware case. They commended LVHN for its efforts in reaching the agreement.
LVHN had refused to pay the undisclosed amount of ransom demanded by the hackers, a decision the plaintiffs argued amounted to the healthcare company putting its own financial concerns before the concerns of patients.
Read more at Insurance Journal.
Damned If You Do, Damned If You Don’t?
LVHN did what law enforcement recommends victims do — don’t pay ransom demands. And because they followed that advice, they were sued and accused of not caring enough about their patients?
“LVHN was told by the hackers that they had these images and if LVHN refused to pay their ransom demand, the hackers would release these sensitive images publicly. LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the internet where they can stay forever. LVHN made the knowing, reckless, and willful, decision to let the hackers post the nude images of Plaintiff and others on the internet,” the complaint alleged.
The complaint said that while LVHN was “publicly patting itself on the back for standing-up to these hackers and refusing to meet their ransom demands,” they were “consciously and intentionally ignoring” the real victims, the patients, and rather than acting in their patients’ best interest, LVHN put its “own financial considerations first.”
So what is an entity to do in this type of situation? Certainly, proactive security would be best — not storing nude photos of identifiable patients without strong encryption would be a start.
There have been reports on several plastic surgery practices where nude pictures of patients leaked on the internet after the victim entities refused to pay extortion demands. Will they, too, eventually wind up paying exorbitant settlement amounts?
Related: Settlement Website