BETHLEHEM, Pa. — Lehigh Valley Health Network reached a $65 million settlement in a class-action lawsuit over data breaches of medical records of 134,000 patients.
"We believe this is the largest data breach settlement on a per capita basis in the United States history," said Patrick Howard, an attorney at Saltz Mongeluzzi Bendesky in Philadelphia, who represented the plaintiff.
The settlement, filed in Lackawanna County Court, is in a class-action lawsuit brought in March 2023 in that court by a plaintiff identified as "Jane Doe" against the hospital network.
The suit alleged that LVHN failed to adequately protect data it got from patients and health care providers whose personal information was exposed during a data breach announced by LVHN on Feb. 22, 2023.
LVHN in July said the data security breach affected Lehigh Valley Physician Group-Delta Medix, in which it says personal information of some individuals was compromised.Lehigh Valley Health Network
Hackers posted patient information and nude photos of cancer patients getting radiation oncology treatment at Lehigh Valley Physician Group-Delta Medix in Lackawanna County to the dark web.
LVHN said the incident was a result of a cybersecurity attack by the ransomware gang known as BlackCat, believed to be associated with Russia.
The ransomware was discovered Feb. 6,2023, on part of LVHN's information technology systems, LVHN said.
In response, it said, it launched a comprehensive investigation involving the assistance of leading cybersecurity experts to determine the cause and extent of the incident.
"After investigating, we provided notices to individuals whose information was involved," a statement from the network read.
"BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. Patient, physician, and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future."
As part of its efforts to support affected individuals, LVHN said it has arranged a complimentary 24-month subscription to Experian's IdentityWorks service.
"We are particularly proud of the fact that class members need not do anything to get the settlement benefits," Howard, the plaintiff attorney, said.
"All 134,000 people will get a check without doing anything. We would like to thank LVHN for its efforts in working with us to achieve this result and provide this relief to the Class."
Who's included, how much they get
The settlement was reached Aug. 20. Each individual in the settlement class got a notice of the proposed settlement.
"Lehigh Valley Health Network has tentatively resolved a class action pertaining to the 2023 cybersecurity attack by a Russian ransomware gang known as BlackCat," the statement from LVHN said.
"The attack was limited to the network supporting one physician practice located in Lackawanna County. Class members will receive separate written notice with additional information about the settlement."
The settlement must be approved by the court before any payment is issued.
A hearing on approval of the settlement is scheduled for 1 p.m. Nov. 15 in the Lackawanna County Courthouse before Senior Judge Thomas A. James.
If the court approves the settlement, class members will get payment without the need to do anything further, according to an informational website created for those affected.
The four relief tiers are:
• Relief Tier One — Allocated $7.15 million of the settlement fund that will be paid to all settlement class members. According to the settlement, each payment will not exceed $50.
• Relief Tier Two — Allocated $1.3 million of the settlement fund that will be paid to settlement class members whose sensitive medical diagnosis information and/or sensitive employment data was published on the dark web. Payment is not to exceed $1,000 each.
• Relief Tier Three — Allocated $4.55 million to the settlement fund members whose images were published on the dark web but don't qualify as nude. Payment is not to exceed $7,500 each, according to the Times-Tribune newspaper in Scranton.
• Relief Tier Four — Allocated $52 million of the settlement fund that will be paid to settlement class members whose nude images were published on the dark web. Payment would be $70,000 to $80,000, according to the Times-Tribune.
What you can do
Each individual in the settlement class got an announcement of the breach.
LVHN denies doing any wrongdoing and further denies that the settlement class has a viable legal claim.
Settlement class members have been divided into four categories of relief, and an independent special master allocated the settlement fund among those tiers.
The amount paid to each relief tier will be paid on a pro rata basis to each class member. Each settlement class member has gotten a unique identifier to let them confidentially view the relief tiers.
A settlement class member also can submit a claim form for out-of-pocket losses of up to $5,000 to LVHN Data Breach Services, Claims Administrator, P.O. Box 5178, Portland, OR 92708-5178.
Settlement class members also can exclude themselves by submitting a release that would let them pursue an individual separate lawsuit over the issues.
They must mail a request to opt-out or exclude themselves from the settlement and settlement class by Oct. 21 to LVHN Data Breach Services, Claims Administrator, P.O. Box 5178, Portland, OR 92708-5178.
To file out-of-pocket losses, they must file a claim form on or before Nov. 3.
Class members also can submit written comments to the court in support of or in opposition to the settlement or any of its terms by Oct. 21.
