Major Pennsylvanian primary care group Lehigh Valley Health Network has agreed to pay a record $65 million settlement to resolve a class-action lawsuit alleging its failure to adequately protect sensitive health data from 134,000 patients, which were leaked following an ALPHV/BlackCat ransomware attack in February 2023, The Register reports.
ALPHV/BlackCat's separate leaks of information stolen from LVNH, including nude photographs of cancer patients that were unknowingly captured in some instances, following the organization's refusal to pay the demanded ransom also constituted a violation of the Health Insurance Portability and Accountability Act, according to the lawsuit. "While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims. Rather than act in their patients' best interest, LVHN put its own financial considerations first," said the lawsuit. Despite denying any wrongdoing in its response to the ransomware intrusion, LVNH will be providing patients whose data had been compromised between $50 and $80,000 depending on the type of exposed information.