Class Action Claims Lehigh Valley Health Network Lost Control of Patient Data, Including Cancer Patients’ Nude Images

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges Lehigh Valley Health Network, Inc. (LVHN) failed to protect consumers’ personal data from hackers who subsequently posted cancer patients’ nude photos on the dark web.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 39-page lawsuit says that after the Pennsylvania-based healthcare network discovered on February 6 of this year that cybercriminals had accessed its computer systems, an investigation revealed that notorious hacker group ALPHV, also called BlackCat, was responsible for the breach. Among the private information stolen by the data thieves were nude photographs of cancer patients, whose pictures had been taken and stored on LVHN’s network, often unbeknownst to those receiving treatment, the suit relays.

In early March, the cybercriminals sent a public message to LVHN, threatening to post the stolen data, including the sensitive images, if the company refused to pay the hackers’ ransom demands, the case relays. The hospital network denied the demands and, the complaint charges, made the “knowing, reckless, and willful decision to let the hackers post the nude images of [patients] on the internet.”

After a second refusal by LVHN to pay the hackers’ ransom, ALPHV purportedly uploaded more patient data and photographs to the dark web in mid-March, the suit states. Per the lawsuit, the group “promises to leak more” each week until its demands are met.

The case chides LVHN for allegedly overlooking the best interests of patients whose information was compromised in the breach.

According to the lawsuit, the cyberattack was the direct result of the defendant’s failure to implement reasonable data security measures to safeguard the private information stored in its network.

What’s more, LVHN has yet to notify victims of the breach or publicly disclose how long the hackers had access to its computer systems, whose data in particular was affected or how much information may have been compromised, the suit says.

Given that the defendant serves thousands of patients each year and maintains an enormous database of sensitive patient information, the case argues that LVHN should have understood it would be a “particularly lucrative target for data thieves” and accordingly taken appropriate steps to ensure data security.

The plaintiff, a Pennsylvania resident who receives breast cancer treatment through the healthcare network, learned of the data breach from news coverage in late February of this year, the complaint relays. The woman was unaware that the defendant had stored nude images of her in its network until early March, when an LVHN representative called and notified her that sensitive photographs taken of her during radiation treatment had been posted on the dark web by the cybercriminals, the filing describes.

In addition to the photographs, the plaintiff was informed that her address, email address, date of birth, Social Security number, health insurance details, diagnosis and treatment information, medications and lab results were also likely compromised in the data breach, the lawsuit states.

As the suit tells it, the LVHN representative extended an apology to the plaintiff and, “with a chuckle,” two years of identity and credit monitoring services.

The lawsuit looks to represent anyone in the United States identified to be a subject of the data breach at Lehigh Valley Health Network, Inc. that was discovered around February 5, 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.