US Healthcare Giant Settles for $65M in Ransomware Case After Nude Patient Photos Leak 

• Pennsylvania-based Lehigh Valley Health Network agreed to a $65 million settlement in a class-action lawsuit.
• The healthcare giant suffered a ransomware attack in 2023, exfiltrating and ultimately leaking nude photos of patients.
•  Some of the pictures were allegedly taken without the patients’ knowledge or consent.

Lehigh Valley Health Network (LVHN), a leading healthcare provider in Pennsylvania, has reached a $65 million settlement to resolve a class-action lawsuit filed by patients following a major data breach. The notorious ALPHV group, also known as the BlackCat gang, infiltrated LVHN's systems on February 6, 2023, stealing and then leaking the data.

During the breach, cybercriminals accessed gigabytes of sensitive data related to 134,000 patients and staff, including names, addresses, Social Security numbers, state ID data, medical records, and surgical images. The attackers demanded a ransom to prevent the release of this information online.

Alarmingly, the stolen data contained nude photographs of cancer patients, some of which were taken without their knowledge. When LVHN refused to meet the ransom demands, the attackers exposed the images on the Dark Web. The healthcare provider officially disclosed the attack on February 20, acknowledging the breach's extent.

The lawsuit accused LVHN of neglecting its duty to protect patient information and claimed the healthcare group violated the Health Insurance Portability and Accountability Act (HIPAA). Despite agreeing to the settlement, LVHN denied any wrongdoing.

Patients expressed outrage over the breach and the handling of the situation. An unidentified plaintiff learned of her nude images being leaked during a call from LVHN's vice president of compliance. The plaintiff was unaware that such photographs had been taken or stored on corporate servers.

ALPHV was shut down at the beginning of the year, but it was seemingly replaced by RansomHub, a ransomware-as-a-service (RaaS) active since February. The threat actor hit Change Healthcare earlier this year, and the data breach was posted on RansomHub’s leak website after ALPHV disappeared.