Pennsylvania health system agrees to $65 million settlement after hackers leaked nude photos of cancer patients
CNN
—
A Pennsylvania health care system this month agreed to pay $65 million to victims of a February 2023 ransomware attack after hackers posted nude photos of cancer patients online, according to the victims' lawyers.
It's the largest settlement of its kind in terms of per-patient compensation for victims of a cyberattack, according to Saltz Mongeluzzi Bendesky, a law firm that for the plaintiffs.
The settlement, which is subject to approval by a judge, is a warning to other big US health care providers that the most sensitive patient records they hold are of enormous value to both hackers and the patients themselves, health care cyber experts told CNN. Eighty percent of the $65-million settlement is set aside for victims whose nude photos were published online.
The settlement "shifts the legal, insurance and adversarial ecosystem," said Carter Groome, chief executive of cybersecurity firm First Health Advisory. "If you're protecting health data as a crown jewel, as you should be, images or photos are going to need another level of compartmentalized protection."
It's a potentially continuous cycle where hackers increasingly seek out the most sensitive patient data to steal, and health care providers move to settle claims out of courts to avoid "ongoing reputational harm," Groome told CNN.
According to the lawsuit, a cybercriminal gang stole nude photos of cancer patients last year from Lehigh Valley Health Network, which comprises 15 hospitals and health centers in eastern Pennsylvania. The hackers demanded a ransom payment and when Lehigh refused to pay, they leaked the photos online.
The lawsuit, filed on behalf of a Pennsylvania woman and others whose nude photos were posted online, said that Lehigh Valley Health Network needed to be held accountable "for the embarrassment and humiliation" it had caused plaintiffs.
"Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future," Lehigh Valley Health Network said in a statement to CNN on Monday.
The ransomware attack "was limited to the network supporting one physician practice located in Lackawanna County," the Lehigh statement continued. "Class members will receive separate written notice with additional information about the settlement."
Ransomware attacks have for years disrupted US hospitals and clinics, degrading patient health and costing the sector vast sums of money.
A February ransomware attack on a major health insurance billing firm cut off health providers from billions of dollars and put some health clinics on the brink of bankruptcy.
Another ransomware attack, in May, on one of America's largest hospital chains, put patients' lives in danger as nurses were forced to manually enter prescription information, multiple nurses at affected hospitals told CNN.
For many patients and health practitioners, the sector has been too slow to improve its defenses. Biden administration officials have pledged to issue mandatory cybersecurity requirements for US hospitals, which could gradually improve defenses.
Litigation can significantly increase the pressure on health care organizations to protect patient data, and not necessarily in a good way, according to some experts.
"Other organizations will look at this case and say, well, maybe if I do pay $5 or $10 million in ransom, maybe I won't have to face a class-action lawsuit," Groome said.
There are many health care organizations that are underinsured and, if faced with a cyberattack similar to Lehigh's, could face bankruptcy, said Max Henderson, an assistant vice president at security firm Pondurance, who has responded to numerous health care-focused cyberattacks.
A full-scale ransomware attack on a health care provider has many costs aside from potential lawsuits, from rebuilding computer systems to retaining legal counsel, Henderson said.