Health Care System Agrees to $65 Million Settlement for Ransomware Attack #

A Pennsylvania health care system has agreed to pay $65 million to victims of a ransomware attack that occurred in February 2023. The attack resulted in hackers posting nude photos of cancer patients online.

This settlement is reportedly the largest of its kind in terms of per-patient compensation for victims of a cyberattack. Eighty percent of the $65-million settlement is set aside for victims whose nude photos were published online.

Cybersecurity experts view this settlement as a warning to other large US health care providers. It highlights the immense value of sensitive patient records to both hackers and patients themselves. The settlement may shift the legal and insurance landscape surrounding health data protection.

The incident involved a cybercriminal gang stealing nude photos of cancer patients from a health network comprising 15 hospitals and health centers in eastern Pennsylvania. When the health network refused to pay a ransom, the hackers leaked the photos online.

A lawsuit was filed on behalf of a Pennsylvania woman and others whose nude photos were posted online, seeking to hold the health network accountable for the embarrassment and humiliation caused to the plaintiffs.

The health network stated that patient, physician, and staff privacy is among their top priorities, and they continue to enhance their defenses to prevent future incidents. They also noted that the ransomware attack was limited to the network supporting one physician practice in Lackawanna County.

Ransomware attacks have long been a problem for US hospitals and clinics, disrupting patient care and costing the sector significant amounts of money. Recent attacks have affected major health insurance billing firms and large hospital chains, putting patients’ lives at risk and pushing some health clinics to the brink of bankruptcy.

The healthcare sector has been criticized for being slow to improve its defenses. The Biden administration has pledged to issue mandatory cybersecurity requirements for US hospitals to gradually improve defenses.

Experts warn that litigation can increase pressure on health care organizations to protect patient data, but not always in beneficial ways. Some organizations might consider paying ransoms to avoid class-action lawsuits.

Additionally, many health care organizations are underinsured and could face bankruptcy if confronted with a similar cyberattack. The costs associated with a full-scale ransomware attack extend beyond potential lawsuits, including expenses for rebuilding computer systems and retaining legal counsel.