Lehigh Valley Health Network to Settle Class Action Lawsuit for $65 Million with Patients

March 15, 2025

One of the most significant healthcare settlements in recent history involves Lehigh Valley Health Network (LVHN) agreeing to pay $65 million to patients affected by a ransomware attack. This class-action lawsuit serves as a stark reminder of the critical importance for clinical laboratories and pathology groups to safeguard patients’ protected health information (PHI) against cyberattacks.

LVHN, a prominent primary care group in Pennsylvania, was targeted by ransomware group ALPHV (also known as BlackCat), resulting in the exposure of sensitive data belonging to 134,000 patients and staff members. The breached information included names, addresses, phone numbers, medical records, treatment details, health insurance information, email addresses, banking information, Social Security numbers, and driver’s license numbers. Disturbingly, some patients’ clinical images were also compromised during the attack.

The repercussions of this cyberattack have been severe, with nude photos of cancer patients undergoing treatment and other PHI leaked online, violating patients’ privacy in an egregious manner. The lawsuit filed on behalf of affected patients sheds light on LVHN’s alleged failure to adequately safeguard patient information, potentially violating HIPAA regulations in the process.

Patrick Howard, a partner at Saltz Mongeluzzi Bendesky P.C. representing the plaintiffs, emphasized the gravity of the breach, highlighting the invasive nature of the leaked images and the breach of trust between patients and healthcare providers. Clinical laboratories, in particular, are at high risk, as substantial portions of patients’ health records, including test results, are stored within their systems.

The class-action lawsuit outlines the extent of the breach, with affected patients falling into different compensation tiers based on the nature of the data stolen and leaked. Patients whose records were compromised are entitled to $50, while those whose information was posted online receive $1,000. Patients whose non-nude photos were leaked are compensated with $7,500, showcasing the severity of the breach and the financial implications for LVHN.

The settlement reached in this case stands out as one of the largest in healthcare data breach ransomware cases on a per-patient basis, underscoring the importance of robust cybersecurity measures within healthcare organizations. By addressing vulnerabilities in their systems and implementing stringent data protection protocols, clinical laboratories and pathology groups can mitigate the risks associated with cyberattacks and safeguard patients’ PHI effectively.