DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Proposed $65 million Lehigh Valley Health Network data breach settlement may compensate some victims $80,000

Posted on September 12, 2024 by Dissent

In 2023, a ransomware attack against Lehigh Valley Health Network by AlphV (BlackCat) involved the threat actors leaking nude photos of some cancer patients. In reporting on one of the first class action lawsuits launched against  LVHN, DataBreaches pointed out how significant this situation and litigation might be, in part, because of the nude photos of patients.

This week, there has been an announcement of a proposed settlement in that lawsuit, and it’s a large one — $65 million. One of the terms of the settlement is that any patient who had nude photos leaked on the dark web would be entitled to $70,000 to $80,000. 

That is the largest per person settlement amount DataBreaches has ever seen, and its significance cannot be overstated.

In 2023 and again this year, we saw a number of ransomware attacks with nude photos of patients leaked on clearnet and the dark web by threat actors who had not successfully extorted their victims.  A number of those incidents are also being litigated as class action lawsuits and one wonders whether the LVHN settlement will now be used as some kind of justification or precedent for larger settlement awards.

In reporting on breaches involving plastic surgery practices or medical practices that involved nude photos of identifiable patients, DataBreaches repeatedly urged plastic surgery practices NOT to use patient names as filenames for photos, even if the photos would be cropped before being used on the medical practice’s websites.  DataBreaches also emailed the professional association for plastic surgeons to ask them to issue more guidance and urge practitioners not to associate patient names with nude photos. They did not issue that kind of blunt advice.

The announced settlement will not only be of interest to personal injury law firms. It will also be of interest to threat actors who may now be more motivated to acquire nude photos of patients that they can threaten to leak if their victims do not pay their demands. They, too, may use the LVHN settlement in their negotiations to argue that it will be cheaper for victims to pay them than to pay tens of millions of dollars in a settlement.

To DataBreaches’ knowledge, HHS OCR has never announced any enforcement actions against any plastic surgery practice for failure to adequately protect nude photos of identifiable patients.

The settlement site for the LVHN case can be found at https://lvhndatabreachsettlement.com/.


Note: Do NOT contact DataBreaches.net to ask if you are part of the settlement class or can be part of it. Go to the settlement website above and read the instructions there. 

Category: Breach IncidentsCommentaries and AnalysesHealth DataHIPAAMalwareOf Note

Post navigation

← IRS Information Technology Supervisor Pleads Guilty to Accepting Bribes from Government Subcontractor Whom He Attempted to Extort
Arrest made in NCA investigation into Transport for London cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.