Lehigh Valley’s $65M settlement: A reason to pay the ransom?

In February of 2023, Lehigh Valley Health Network (LVHN) experienced a ransomware attack by ALPHV/BlackCat, the same Russian-linked group that would later take down Change Healthcare.   

The attackers claimed to have stolen the usual set of “sensitive data,” but also gained access to something even more unsettling: clinically relevant nude photos of cancer patients undergoing radiation therapy. If LVHN did not pay the ransom, the hackers would release the photos onto the dark web. 

Following the suggestion of the FBI and other federal authorities not to pay ransoms at the risk of emboldening future criminals, LVHN elected to hold their ground. However, the hackers called their bluff and published the photos. 

The health system was quickly hit with a class action suit brought by the patients whose data was made public. The suit accused LVHN of failing to protect patient privacy while “consciously and intentionally” ignoring how their decision not to pay the ransom would affect the emotional and financial health patients involved.  

LVHN has defended its actions by reinforcing its commitment to privacy and security, noting in a recent statement to CNN that the attack “was limited to the network supporting one physician practice located in Lackawanna County” and the health system is continuing to enhance its defenses against future events.  

However, the health system has agreed to a $65 million settlement with the plaintiffs, subject to approval from a judge, that appears to be the largest of its kind – and with 134,000 patients involved, potentially the “largest data breach settlement on a per capita basis in the United States history,” said Patrick Howard, an attorney at Saltz Mongeluzzi Bendesky, the firm representing the plaintiffs. 

The saga begs the question: are there situations in which it’s better to pay?  

Caught between a rock and a hard place

Even in the wake of seismically disruptive events like the Change Healthcare attack (in which leaders did appear to pay the attackers), the answer most likely remains a firm “well, not really.” 

It’s a gut-wrenching decision to make, especially in situations where patient safety is at stake. If the alternative is to cancel urgent procedures, lose access to electronic records, or divert emergency cases to other facilities, there are emotional, ethical, and financial pressures to act. 

About a third of hospitals subject to ransomware attacks in 2021 admitted to paying the money in an effort to quickly restore access to vital systems.  Updated data from the Ponemon Institute in 2024 found these rates have remained relatively steady over time, with 36% of victims paying ransom this year – although the dollar figures involved have skyrocketed. Compared to 2021, when the average ask was about $130,000, cybercriminals are now demanding north of $1 million to release their grip on their victims.  

While biting the bullet and doling out funds might seem like the best way to restore operations and safeguard patients, doing so is actually no guarantee of relief.   

Organizations that handed over the requested ransom in 2021 said that only about 70% of their data was restored afterward, which can still result in lasting damage to present or future operations. And these organizations could still be subject to hefty lawsuits from patients over the disruptions or leaks that do occur, so it’s not a foolproof way of avoiding the financial or reputational fallout of a ransomware event. 

In contrast, the business arguments against paying the ransom, as LVHN decided to do, are only growing stronger. After signing a pledge alongside 40 other countries not to pay ransomware, US officials across government departments are united in taking a dim view of those who capitulate to cybercriminals. 

There are even major legal risks tied to establishing financial relationships with foreign groups facing US sanctions, possibly turning victims into co-conspirators in the eyes of the law. 

So what is a healthcare organization to do when it becomes one of the nearly 60% of entities to experience a ransomware attack each year? 

Reducing the pressure of making decisions in the heat of the moment 

The decision may not be as simple as whether to pay or not. Instead, it’s about which path is more likely to keep damage at a minimum because it’s going to hurt either way. Ransomware is becoming so popular among cybercriminals precisely because it is so horrifically effective at producing bad outcomes for the victim no matter what 

Is paying upfront for the slim chance at an immediate resolution worth getting entangled in international law? Is refusing to give in going to be a hollow moral victory that will still drag patients through the mud, risk their safety, and maybe lead to an eye-watering settlement in court? What are the likely dollar figures involved in each scenario? The direct impact on patient care? The longer term effects of leaked patient data, compromised systems, and significant reputational risks?  

Every cyberattack is different, and making these calculations on the fly isn’t easy, especially since it can take weeks or months to discover the full extent of the damage. But since ransomware attacks are now a matter of when, not if, organizations might want to start thinking about charting out these theoretical scenarios ahead of time…just in case their comprehensive system backups, cybersecurity insurance protocols, and extensive cyber defenses happen to fail them, of course. 

The truth is that there is no single right answer when it comes to ransomware. There might not be any good options at all, in some cases, especially for the patients at LVHN and the thousands of other organizations hit by attacks each year.  

Organizations will simply need to get more proactive about risk management, disaster planning, and recovery procedures, focusing on mitigating damage instead of thinking they can avoid it entirely. It’s not a perfect solution, but developing a better forward-thinking understanding of how a ransomware event is likely to play out could provide some protection from making a worse decision than necessary when the cards are on the table. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.