In March 2023, a Pennsylvania woman received a phone call from a health-care executive that left her in disbelief: Hackers had obtained photos of her naked body while she underwent radiation treatments and posted them to a dark corner of the internet.
Lehigh Valley Health Network refused to pay a ransom “in excess” of $5 million to recover the photos and other stolen patient information, but it couldn’t sidestep financial damages from the breach.
The unidentified woman, who is in her 50s and known as Jane Doe, became the lead plaintiff in a class action suing Lehigh for failing to safeguard highly sensitive patient information, including nude photos of hundreds of cancer patients. On Sept. 12, a law firm announced that Lehigh had agreed to pay $65 million to settle the case.
As hackers penetrate American health-care firms with alarming regularity, the episode reveals how cyberthieves are exploiting uniquely sensitive data - with devastating human and financial consequences.
Data breaches that compromise health information of hundreds of Americans happen on a near-daily basis, according to a Washington Post review of cases compiled by the U.S. Department of Health and Human Services going back to 2022. The FBI’s Internet Crime Complaint Center received more reports of ransomware attacks on health-care industry targets last year than any other of the 16 sectors it tracks.
The Lehigh Valley case also highlights the legal predicaments for health-care organizations that are increasingly targeted by hackers, leaving them vulnerable to both the cybercriminals and subsequent lawsuits brought by patients whose lives are upended by a breach.
That is especially the case for health systems that possess sensitive photos of patients taken for clinical reasons. Delivering radiation therapy to patients typically involves using X-ray and photographic images to develop a treatment plan, according to the American Society for Radiation Oncology.
“The type of data that was exposed, it’s a game changer,” said Carter Groome, CEO of First Health Advisory, a digital-risk firm. “This was so much more of a tangible, direct distress to those people who trusted the organization,” he said.
Disclosing data breaches is leading to lawsuits more often, according to law firm BakerHostetler, which found more than 58 incidents disclosed last year prompted one or more lawsuits, a roughly 38 percent increase from the year before. The BakerHostetler tally is not limited to health care.
Some experts say health-care organizations have made significant headway in shoring up their cyber defenses, but they remain vulnerable in large part due to their complexity - with computer networks connecting physicians, insurers, pharmacies and all manner of vendors that supply equipment and services.
A Lehigh Valley Health spokesperson said the cyberattack was limited to a network supporting a single physician practice in Lackawanna County, in northeast Pennsylvania, and confirmed it did not pay a ransom. “Patient, physician and staff privacy is among our top priorities, and we continue to enhance our defenses to prevent incidents in the future,” he said.
It isn’t clear how common intimate patient photos are exposed in hacks. A plastic surgeon in Beverly Hills disclosed a cyberattack last year that included “images taken in connection with the services rendered at our office,” sparking litigation. A second plastic surgery clinic also disclosed a hack around the same time.
Meredith Schnur, a cyber practice leader at Marsh McLennan, said her team has seen hackers make off with patient photos but not necessarily nude ones. The Lehigh Valley case is “kind of an anomaly,” she said. “That’s a pretty large settlement.”
Hackers have increasingly gone after critical cogs in supply chains like UnitedHealth Group’s Change Healthcare subsidiary, which routes claims from pharmacies and health-care providers to insurers and facilitates payment. The hack of Change in February crippled practices around the country and exposed the health information of a “substantial proportion of people in America,” the company has said. UnitedHealth has spent $1.4 billion responding to the attack through the first half of the year, it said in a securities filing last month.
The ransomware gang believed to be behind the Change hack, ALPHV, is also the same one accused of hacking Lehigh Valley. The FBI doesn’t support paying a ransom in such attacks, pointing out that there’s no guarantee that the hackers will return the data and paying can encourage more attacks. But the CEO of UnitedHealth, which brought in nearly $200 billion of revenue in the first half of 2024, said he directed the company to pay the $22 million ransom, telling Congress it was “one of the hardest decisions I’ve ever had to make.”
Lehigh Valley Health, based in Allentown, Pa., did not pay the ransom. After discovering the breach in February 2023, an executive for the health system called patients to inform them that hackers had posted their personal information - including nude photos - to the dark web, which consists of hidden websites that aren’t accessible through conventional search engines like Google.
The class-action lawsuit recounts how the executive offered an apology to the woman in her 50s and, “with a chuckle, two years of credit monitoring.” The cancer patient had no idea that the health system had stored nude photos of her on its computer network, according to the lawsuit, and was in a state of “complete disbelief.”
“The pictures are really difficult to look at,” said Patrick Howard, an attorney representing the plaintiffs. His legal team hired a cybersecurity expert who located the images that hackers had posted on the dark web, enabling them to “establish each person’s information that was actually online.”
The proposed settlement, which still requires a judge’s approval, would provide a payout to nearly 135,000 patients and health-system employees affected by the breach. But 80 percent of the $65 million is earmarked for those whose nude photos were published to the dark web, according to the agreement. Howard said that category includes about 600 men and women, who stand to receive upward of $75,000 each. As the lead plaintiff, Jane Doe could receive $125,000.