In a settlement agreement worth $65 million, a Pennsylvania healthcare organization conceded liability after digital intruders unlawfully exposed intimate images of their cancer patient clientele.
This is the largest settlement of its kind in terms of compensation per victim for those affected by a cyberattack, as stated by Saltz Mongeluzzi Bendesky, a law firm representing the plaintiffs.
The settlement, pending judicial approval, serves as a warning to large US healthcare providers that sensitive patient data, particularly explicit images, is highly valuable not just to hackers but also to the patients themselves, according to cybersecurity experts interviewed by CNN. Almost 80% of the $65 million settlement is allocated for victims whose private photos were shared online.
Carter Groome, CEO of cybersecurity firm First Health Advisory, opined that this settlement reshapes the legal, insurance, and adversarial landscape. "If you're treating health data as a priceless asset, as you should, images or photos need an additional layer of secure storage," he told CNN.
This could potentially lead to a recurring cycle where hackers target the most vulnerable patient data to steal, and healthcare providers opt for out-of-court settlements to avoid long-term reputational damage, Groome suggested.
As per the lawsuit, a cybercriminal group stole explicit photos of cancer patients from Lehigh Valley Health Network last year, which includes 15 hospitals and health centers in eastern Pennsylvania. The hackers demanded a ransom and, upon Lehigh's refusal to pay, released the photos online.
The lawsuit, filed by a Pennsylvania resident and others whose photos were publicly shared, accused Lehigh Valley Health Network of causing "embarrassment and humiliation" to the plaintiffs.
Lehigh Valley Health Network maintained, in a statement to CNN, that patient, physician, and staff privacy are top priorities; they are continually enhancing their defenses to prevent such incidents in the future. The ransomware attack, as stated by Lehigh, affected only the network supporting one physician practice in Lackawanna County.
Ransomware attacks have long disrupted US hospitals and medical facilities, negatively affecting patient care and leaving the sector with substantial financial losses.
A ransomware attack in February on a major healthcare billing firm left healthcare providers without access to billions of dollars and pushed some clinics towards bankruptcy.
Another ransomware attack in May on one of America's largest hospital chains endangered patients' lives as nurses were compelled to manually enter prescription information due to the attack.
For several patients and healthcare professionals, the sector has been slower than desired in improving its defenses. Officials from the Biden administration have pledged to introduce mandatory cybersecurity requirements for US hospitals, which could gradually strengthen their defenses.
According to some experts, litigation can intensify the pressure on healthcare organizations to protect patient data but may not always result in positive outcomes.
"Other organizations might consider paying a $5 or $10 million ransom to avoid a class-action lawsuit," Groome speculated.
Many healthcare organizations lack sufficient insurance coverage and, in the event of a cyberattack comparable to Lehigh's, could face bankruptcy, claimed Max Henderson, an assistant vice president at security firm Pondurance, who has dealt with numerous healthcare-focused cyberattacks.
A major ransomware attack on a healthcare provider involves numerous expenses beyond potential lawsuits, such as rebuilding computer systems and hiring legal counsel, according to Henderson.
The settlement underscores the importance of prioritizing and securing sensitive patient data in the business operations of healthcare providers. Failure to do so could lead to significant financial repercussions, including expensive settlements and potential bankruptcy.
