PA Health System Settles for $65M Over Leaked Patient Photos

PA Health System Settles for $65M Over Leaked Patient Photos

Introduction

A Pennsylvania healthcare system agreed to pay $65 million to victims of a February 2023 ransomware attack, where hackers leaked nude photos of cancer patients online, according to the victims' lawyers.

The settlement is considered the largest of its kind in terms of per-patient compensation for a cyberattack, as stated by the law firm representing the plaintiffs.

Pending judicial approval, the settlement serves as a stark warning to major U.S. healthcare providers about the high value of sensitive patient records to both hackers and patients. Healthcare cybersecurity experts emphasize that patient records, particularly images or photos, require additional layers of protection as hackers increasingly target this kind of data. About 80% of the $65 million settlement will go to victims whose nude photos were posted online.

The CEO of cybersecurity firm First Health Advisory noted that the settlement “shifts the legal, insurance, and adversarial ecosystem,” adding that health data, especially images, must now be treated as "crown jewels" and receive heightened protection. He also pointed out that healthcare providers may face a growing cycle where hackers seek out more sensitive data and institutions prefer settling claims out of court to avoid prolonged reputational damage.

The lawsuit was filed after a cybercriminal group stole the nude photos from Lehigh Valley Health Network, which operates 15 hospitals and health centers in eastern Pennsylvania. The hackers demanded a ransom, and when the health system refused to pay, the photos were released online. Filed on behalf of a Pennsylvania woman and other victims, the lawsuit argued that Lehigh Valley Health Network needed to be held accountable for the “embarrassment and humiliation” caused by the leak.

In response, Lehigh Valley Health Network issued a statement emphasizing that “patient, physician, and staff privacy is among our top priorities,” and that they have been working to strengthen their cybersecurity defenses to prevent future incidents. The health system clarified that the ransomware attack was confined to a network supporting one physician practice in Lackawanna County. Affected class members will receive written notices with further details about the settlement.

Ransomware attacks have increasingly disrupted U.S. hospitals and clinics in recent years, significantly affecting patient care and costing the sector billions. For example, a ransomware attack in February crippled a major health insurance billing firm, cutting off health providers from substantial funds and pushing some clinics to the brink of bankruptcy. Another ransomware attack in May on one of the nation’s largest hospital chains endangered patients' lives, as nurses had to manually input prescription information into the system, a task that normally requires automated processes.

Many experts believe the healthcare sector has been slow to enhance its cybersecurity defenses, leaving it vulnerable to attacks. Biden administration officials have promised to introduce mandatory cybersecurity standards for U.S. hospitals, which could lead to gradual improvements. However, some experts warn that litigation and settlements, like the one involving Lehigh Valley, may place additional financial strain on healthcare organizations, especially those that are underinsured.

An assistant vice president at security firm Pondurance, who has responded to numerous healthcare-focused cyberattacks, explained that a full-scale ransomware attack on a healthcare provider comes with steep costs beyond potential legal liabilities. These include rebuilding computer systems and hiring legal counsel. For some healthcare organizations, such attacks could lead to bankruptcy if they are not adequately prepared or insured.