Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman, special counsel Justin Donoho, and associate Ryan Garippo with their analysis of a major settlement in the data breach class action space, and what it signifies for trends in this area as well as data security best practices for companies.
Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.
Episode Transcript
Jerry Maatman: Thank you, loyal blog readers for joining us for this week’s installment of our podcast series called the Class Action Weekly Wire. I’m joined today by my colleagues, Justin and Ryan, and the topic of the day is one of the most significant data breach class action settlements of 2024. Welcome, Justin and Ryan.
Justin Donoho: Hi, Jerry, thank you for having me.
Ryan Garippo: Thanks, Jerry. Happy to be here.
Jerry: So specifically, what we wanted to do was talk about the ins and outs of the $65 million class action settlement announced in a data breach lawsuit entitled Doe v. Lehigh Valley Health Network. Justin, can you set the stage for our listeners and readers about what this case is about and why it’s significant?
Justin: Yes, Jerry. In this case the plaintiffs are cancer patients. They filed a class action against Pennsylvania, based healthcare company, Lehigh Valley Health Network, for its alleged failure to protect their nude photographs taken during their cancer treatments from cybercriminals who hacked into the company servers, stole the photographs, and leaked them to the public in February 2023. The plaintiffs brought claims for negligence, breach of fiduciary duty, publicity of private matters, and other claims. The plaintiffs also sought punitive damages based on their assertion that, despite being told by the criminal hackers that the nude photos and other sensitive data would be released publicly if a ransom were not paid, the health system declined to take any action, and therefore allegedly made a knowing, reckless, and willful decision of their own to allow the criminal hackers to post their nude images on the internet.
Jerry: Most data breach class actions involve infiltration of systems involving social security information, payroll data, and like. Very unusual that would include photographs, let alone photographs of patients receiving treatment. Ryan, what were some of the particulars of the settlement agreement that plaintiffs’ counsel and defense counsel for the defendant had negotiated to get this case resolved?
Ryan: Well, Jerry, the breach affected over a 135,000 patients and employees, more than 600 of whom had their medical images posted online. So the class members will receive payouts ranging from $50 to $70,000. But the higher amounts going to those who actually had their new photos published on the internet, and the lower amounts being for those who suffered a less invasive invasion of their personal information. And, as you’ve mentioned overall, the company will pay a total of $65 million to sell those claims.
Jerry: So our Class Action Review tracks settlements in all substantive areas, including data breach, and over the last 36 months, anecdotally, data breach class actions just keep getting bigger and bigger and bigger. And this is a manifestation of that trend. How do you believe this will impact the price or the going rate of data breach class action settlements going forward in Corporate America?
Ryan: Well, Jerry, I think it’s only likely to go up. The Duane Morris Class Action Review analyzed the largest data breach settlements, and in 2023 plaintiffs secured about $515 million dollars in total for the top 10 settlements. The largest settlement being $350 million in the In Re T-Mobile Customer Data Security Breach Litigation, which accounted for the majority of that number, and the next largest settlement was $49.5 million in the In Re Blackbaud Inc. Customer Data Security Breach Litigation as well. So, this is settlement is very large for a data breach class action settlement overall, and healthcare institutions continue to be a favorite target for the plaintiffs’ bar in the cybersecurity space.
Justin: Thank you, Ryan. This settlement looks like it will likely be one of the largest data breach class action settlements in 2024 for sure. This case also continues the massive growth of data breach litigation in general over the past few years. Cybercrime is on the rise – companies need to likewise raise their own levels of data security practices to mitigate risks associated with these types of incidents. In fact, a number of data security practices including involvement of Board of Directors data encryption and password reset policies were included in some level of detail in this settlement as measures the healthcare company agreed to adopt in addition to paying out all that money to the plaintiffs. These are types of data security measures all companies should consider as they design and work to continuously improve their cybersecurity programs.
Jerry: Well, thanks so much, Justin and Ryan, for your analysis of this settlement and its implications for Corporate America. The newest edition, the 2025 Duane Morris Class Action Review, will come out in the first week of January of 2025, and my prediction would be this particular settlement certainly going to be on that top 10 list. Well, thank you loyal blog readers and listeners for tuning into this week’s installment of the Class Action Weekly Wire, and thank you, Justin and Ryan, for providing your thought leadership.
Ryan: Thanks, Jerry, and thank you to the listeners.
Justin: Thank you, Jerry. Thanks everyone.