Lehigh Valley Health Network in Pennsylvania reached a $65 million settlement in a class-action lawsuit over data breaches of medical records of 134,000 patients. As noted by the plaintiffs’ attorney, is one of the largest data breach settlements on a per capita basis in US history.
The class action suit was filed in 2023, claiming LVHN failed to “adequately protect patient data”. The initial breach notice raised alarm, given the sensitivity of the information stolen. The cybercriminals behind the incident posted nude photos of cancer patients getting radiation oncology treatment and other sensitive information to the dark web.
First Health absolutely acknowledges the gravity of the breadth of data exfiltrated and the especially personal violation of these patients’ rights. Moreover, the sheer magnitude of the settlement here could be significant for the future. As healthcare remains one of the most targeted due to the sensitivity of information it holds, threat actors may see this settlement as another lever in their pursuit of extorting healthcare providers for economic gain.
It also happens, as in many settlements of this type, that a sizeable amount of the monetary pay out goes to the attorneys and perhaps not to the patients harmed by the incident, which creates a lucrative market for more lawsuits.
For context, Anthem holds the record for the largest data breach settlement in healthcare at $115M. But there is a fundamental difference here: insurance companies hold much larger revenue streams than even the most lucrative of health systems, thereby altering the impact of such a large settlement.
For LVHN, the settlement amount would be equal to several overhauls of its cybersecurity program, new cyber tools, and the salary of several additional security leaders. For comparison, the settlement between Pennsylvania and 46 other states with Target, one of the largest data breaches of the time in 2013, totaled just $18M.
“I believe there are two key takeaways from this settlement,” said Mac McMillan, First Health Strategic Advisory Board Member and seasoned healthcare cyber leader. “First, the type of data exposed matters greatly to the perceived harm felt by the victims. Second, the courts and the public are willing to award larger settlements when these conditions are met. It’s likely that legal firms will no doubt include this in their calculations going forward.”
In 2022, data from BakerHostetler confirmed the alarming rise in breach-related lawsuits and the number of law firms immediately setting up solicitations to patients impacted by healthcare data breaches. And in some instances, entities may face multiple lawsuits filed in the same forum, or a combination of federal and state courts.
Calling it a “duplicative litigation trend”, these oft-predatory lawsuits have raised the cost of initial litigation defense and overall settlement fees due to the sheer number of plaintiffs’ attorneys involved, again creating incentive for lawyers to take on cases.
In healthcare, entities face scrutinous regulatory compliance, state privacy laws, limited resources and staff for cyber initiatives, and now, the potential risk of litigation. A provider may have a reportable breach under HIPAA and do everything within their resources to secure their network and patient data while still falling victim to an attack.
First Health remains committed to supporting entities with building more cyber resilient defenses. We’re concerned about the precedent this size of settlement will set for the industry and providers, while funds go to attorneys and not to better securing defenses and governance policies.