A Pennsylvania judge approved a $65 million settlement between Allentown, Pa.-based Lehigh Valley Health Network and its patients caught in a 2023 ransomware attack, WHYY reported Nov. 15.
Patient "Jane Doe" led the class-action lawsuit against the health system over the hack in which Russian cybercriminal gang BlackCat posted nude photos of breast cancer patients to the dark web after Lehigh Valley refused to pay ransom. Lehigh Valley Health Network agreed to the settlement in September before a Lackawanna County (Pa.) Court judge gave it his final approval Nov. 15, according to the story.
"The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files," lead plaintiff attorney Patrick Howard told the news outlet. "I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images."
The lead plaintiff stands to collect $125,000, while the other 134,000-plus class members are eligible to receive $50 to $80,000 each, according to the story. The payments are expected to be disbursed in early 2025 after the 30-day appeal window expires.
Lehigh Valley Health Network did not admit to wrongdoing in the settlement. "Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future," a health system spokesperson told Becker's in September.