Jane Doe vs. Lehigh Valley Health Network, Inc.

Case Background

On June 26, 2023, Plaintiff Jane Doe filed a personal injury lawsuit in the Lackawanna County Court of Common Pleas (Case number: 23-CV-1149). Judge Malachy E. Mannion presided over the case.

Cause

On February 6, 2023, Lehigh Valley Health Network (LVHN), a major healthcare provider in eastern Pennsylvania, suffered a significant data breach. This breach was perpetrated by the notorious cybercriminal group ALPHV, also known as BlackCat, known for targeting healthcare and academic institutions. LVHN detected unauthorized activity on its IT systems and promptly launched an investigation.

The hackers gained unauthorized access to LVHN’s computer network, compromising a vast amount of sensitive patient information. This included personally identifiable information (PII) and protected health information (PHI) such as:

  • Addresses
  • Email addresses
  • Dates of birth
  • Social Security numbers
  • Passport information
  • Driver’s license numbers / State ID numbers
  • Health insurance provider details
  • Medical diagnoses and treatment information
  • Medications
  • Lab results

Most alarmingly, the hackers obtained nude photographs of cancer patients receiving radiation treatment. These images were taken as part of the patients’ medical care, often without their explicit knowledge.

After accessing this sensitive data, the hackers demanded a ransom from LVHN, threatening to release the nude images publicly if their demands were not met. LVHN decided not to pay the ransom, resulting in the hackers posting the sensitive images on the internet, where they may remain indefinitely. LVHN serves thousands of individuals annually, maintaining a massive repository of sensitive information. This made them a particularly lucrative target for data thieves aiming to misuse or sell patient data.

Injuries

The data breach caused significant harm to Plaintiff Jane Doe and Class members. Patients faced severe embarrassment and humiliation due to the public release of nude images from their cancer treatments. This privacy violation during an already vulnerable time led to substantial emotional trauma. The exposure of personal and medical information increased the risk of identity theft and fraud, which is ongoing and may last for years.

Plaintiffs incurred out-of-pocket expenses to address the breach, including placing fraud alerts, notifying financial institutions, and monitoring accounts. They also faced potential future costs for credit monitoring and identity theft protection services. Victims spent considerable time and effort researching the breach, monitoring accounts, and taking steps to protect their identities. The unauthorized disclosure of sensitive medical information and intimate photographs resulted in a significant loss of privacy. The ongoing threat of identity theft and the knowledge that personal information and images were online caused substantial anxiety and stress. The full extent of the damages might not be immediately clear, as identity theft and fraud can occur months or years later.

Damages

The Plaintiff sought various forms of relief for themselves and the Class. They requested Class Certification, including the designation of the Plaintiff as representative and their counsel as Class Counsel. Also, they sought compensatory damages for injuries and losses from the data breach and punitive damages to penalize LVHN for alleged reckless and willful conduct. Furthermore, they also sought injunctive relief to prevent further wrongful acts by LVHN, mandated security improvements to prevent future breaches, and ongoing annual audits of LVHN’s security practices. Additionally, they requested identity protection services for affected individuals and reimbursement of legal costs incurred from the lawsuit. The Plaintiff’s personal injury lawsuit also aimed to address the extensive emotional and financial damages suffered due to the breach.

Key Arguments and Proceedings

Legal representation

  • Plaintiff(s): Jane Doe, Individually and on behalf of all others similarly situated
    • Counsel for Plaintiff: Patrick Howard | Samuel J. Strauss | Raina C. Borrelli | Mary Anne O. Lucas | Todd J. O’Malley |  Daniel Gustafson
  • Defendant(s):Lehigh Valley, Health Network Inc.,
    • Counsel for Defendants: Phyllis B. Sumner|  Elizabeth D. Adler | James M. Brigman

Key Arguments or Remarks by Counsel

The breach affected about 135,000 patients and employees, more than 600 of whom had their medical images posted online, Saltz Mongeluzzi Barrett & Bendesky PC said in a statement. The class members will receive payouts ranging from $50 to $70,000, with the higher amounts going to those who had their nude photos published on the internet, according to the firm.

Patrick Howard said he and his Saltz Mongeluzzi colleagues “were pleased to obtain the significant relief for the impacted individuals.” He also commended Lehigh Valley for its efforts to resolve the matter.

LVHN denies any wrongdoing under the settlement but said in a statement  that “patient, physician and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future.”

Claims

The Plaintiff filed a class action personal injury lawsuit against LVHN, alleging multiple claims:

Negligence: LVHN failed to implement reasonable data security measures to protect patients’ sensitive information. The Plaintiff argued that LVHN had a duty to exercise reasonable care in safeguarding and protecting their sensitive information from being compromised, lost, stolen, misused, or disclosed to unauthorized parties.

Negligence Per Se:

  • Violation of Section 5 of the FTC Act: LVHN failed to use reasonable measures to protect PII and PHI, which constitutes an unfair practice affecting commerce.
  • Violation of HIPAA: As a healthcare provider, LVHN is covered by HIPAA and failed to comply with its standards for protecting electronic protected health information.

Breach of Fiduciary Duty: LVHN breached its fiduciary duty to protect patients’ private and sensitive information and to keep them informed of when that information became exposed or compromised.

Breach of Implied Contract: LVHN failed to safeguard patients’ information as promised in its privacy policy. The Plaintiff argued that by providing their PII and PHI in exchange for healthcare services, an implied contract was formed, which LVHN breached by failing to protect this information.

Breach of Confidence: LVHN violated the expectation that patients’ personal data would be protected and not disclosed to unauthorized parties. This claim is based on the understanding that the relationship between a healthcare provider and patient is governed by an expectation of confidentiality.

Defense

Lehigh Valley argued that the claims did not specify which security measures the hospital system should have deployed to thwart the ransomware or prevent the subsequent exposure of the stolen information. Later, the Plaintiff defended against the purported pleading shortfalls, arguing that Lehigh Valley had not released information about how the breach occurred.

Settlement

On September 11, 2024, Lehigh Valley Health Network reached a $65 million class action lawsuit settlement. The personal injury lawsuit highlighted significant lapses in healthcare cybersecurity and patient privacy violation.

Court Documents:

Available Upon Request

Press Release:

https://www.fiercehealthcare.com/providers/lehigh-valley-health-network-agrees-65m-settlement-over-ransomware-attack-leaked-nude

https://www.law360.com/articles/1878601