In 2023, a ransomware attack against Lehigh Valley Health Network by AlphV (BlackCat) involved the threat actors leaking nude photos of some cancer patients. In reporting on one of the first class action lawsuits launched against LVHN, DataBreaches pointed out how significant this situation and litigation might be, in part, because of the nude photos of patients.
This week, there has been an announcement of a proposed settlement in that lawsuit, and it’s a large one — $65 million. One of the terms of the settlement is that any patient who had nude photos leaked on the dark web would be entitled to $70,000 to $80,000.
That is the largest per person settlement amount DataBreaches has ever seen, and its significance cannot be overstated.
In 2023 and again this year, we saw a number of ransomware attacks with nude photos of patients leaked on clearnet and the dark web by threat actors who had not successfully extorted their victims. A number of those incidents are also being litigated as class action lawsuits and one wonders whether the LVHN settlement will now be used as some kind of justification or precedent for larger settlement awards.
In reporting on breaches involving plastic surgery practices or medical practices that involved nude photos of identifiable patients, DataBreaches repeatedly urged plastic surgery practices NOT to use patient names as filenames for photos, even if the photos would be cropped before being used on the medical practice’s websites. DataBreaches also emailed the professional association for plastic surgeons to ask them to issue more guidance and urge practitioners not to associate patient names with nude photos. They did not issue that kind of blunt advice.
The announced settlement will not only be of interest to personal injury law firms. It will also be of interest to threat actors who may now be more motivated to acquire nude photos of patients that they can threaten to leak if their victims do not pay their demands. They, too, may use the LVHN settlement in their negotiations to argue that it will be cheaper for victims to pay them than to pay tens of millions of dollars in a settlement.
To DataBreaches’ knowledge, HHS OCR has never announced any enforcement actions against any plastic surgery practice for failure to adequately protect nude photos of identifiable patients.
The settlement site for the LVHN case can be found at https://lvhndatabreachsettlement.com/.
Note: Do NOT contact DataBreaches.net to ask if you are part of the settlement class or can be part of it. Go to the settlement website above and read the instructions there.