Lehigh Valley Health Network, based in Allentown, Pa., has agreed to a proposed $65 million settlement in a class-action lawsuit related to a 2023 ransomware attack that exposed the medical records of 134,000 patients, according to a Sept. 11 report by The Times Tribune.
The settlement, reached on Aug. 20, follows a ransomware attack claimed by the BlackCat group in 2023. The breach resulted in patients' personal information being stolen and leaked on the dark web, including sensitive data such as nude photos of some breast cancer patients.
The lawsuit was initially filed in Lackawanna County (Pa.) Court, moved to federal court, and then returned to the county court. It remains pending in Lackawanna County Court, with a final approval hearing for the proposed settlement scheduled for Nov. 15, according to the report.
The $65 million settlement will be distributed among patients based on the extent of the harm they experienced, with each group receiving compensation up to a specified limit.
Lehigh Valley Health Network has created a website to provide details about the settlement. On the site, the health system denies any wrongdoing and asserts that the settlement class does not have a valid legal claim.
"Lehigh Valley Health Network has tentatively resolved a class action pertaining to the 2023 cybersecurity attack by a Russian ransomware gang known as BlackCat. The attack was limited to the network supporting one physician practice located in Lackawanna County. Class members will receive separate written notice with additional information about the settlement," a spokesperson for Lehigh Valley Health Network told Becker's in an emailed statement.
Additionally, the spokesperson said after identifying the unauthorized activity in 2023, it immediately launched an investigation, engaging with cybersecurity firms and experts, and notified law enforcement. After investigating, Lehigh said it provided notices to individuals whose information was involved and that BlackCat demanded a ransom payment, but Lehigh Valley refused to pay.
"Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future," the spokesperson wrote.