Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod

Posted by Steve Alder

Alabama Ophthalmology Associates, P.C., has settled a class action lawsuit that was filed in response to a January 2025 cyberattack on its computer systems. The intrusion was identified on January 30, 2025, and the forensic investigation confirmed unauthorized access to its network between January 22 and January 30, 2025.

The hackers had access to files containing names, dates of birth, Social Security numbers, medical record numbers, treatment information, medical history information, and health insurance information. The Alabama Ophthalmology data breach affected 131,576 individuals, and notification letters were mailed in April 2025. Multiple class action lawsuits were filed in response to the data breach, which were consolidated as they had overlapping claims – In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate safeguards to protect sensitive data on its network, resulting in unauthorized access and exposure of patient data, and failed to issue adequate breach notifications. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and failure to provide adequate notice pursuant to any breach notification statute or common law duty.

The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing and that there is no liability. To avoid further legal costs and the uncertainty of a trial, all parties explored early resolution of the lawsuit, and a settlement was ultimately agreed upon that was acceptable to all parties.

Class members are entitled to claim two years of medical data monitoring and identity theft protection services, plus one of two cash payments. A claim may be submitted for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. The cash payments are expected to be around $60 per class member. The deadline for objection and exclusion is June 5, 2026. Claims must be submitted by June 25, 2026, and the final fairness hearing has been scheduled for July 6, 2026.

The post Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.

OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties.

Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to provide healthcare services. Without access to medical records, patient safety is put at risk, so victims are more likely that organziations in other sectors to pay the ransom demands to recover quickly. In addition to encryption, sensitive data is often exfiltrated and used as leverage. If the ransom is not paid, the data is sold or leaked online, putting the affected individuals at risk of identity theft and fraud.

In each of the past five years, more than 700 data breaches affecting 500 or more individuals have been reported to OCR, the majority of which were hacking incidents or ransomware attacks. “Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard, in an announcement about the HIPAA penalties. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

One of the most important requirements of the HIPAA Security Rule is a risk analysis, the purpose of which is to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Those risks and vulnerabilities must then be subjected to risk management processes to eliminate them or reduce them to a low and acceptable level. If a risk analysis is not conducted, is not conducted regularly, or is incomplete, risks and vulnerabilities are likely to remain unknown and unaddressed and can be exploited to gain access to internal networks and ePHI.

OCR has made the risk analysis provision of the HIPAA Security Rule an enforcement priority due to its importance, and that initiative is being extended to include risk management. If a data breach is reported or if a complaint is submitted about an unreported data breach, OCR will investigate and will require evidence to show that a risk analysis has been completed and risks have been managed in a timely manner. In each of the four latest enforcement actions, OCR identified risk analysis failures.

In order to complete a comprehensive and accurate risk analysis, HIPAA-regulated entities must identify all locations within the organization where ePHI is located, including how ePHI enters, flows through, and leaves the organization’s information systems. It is therefore essential to create and maintain an accurate and up-to-date asset inventory on which the risk analysis can be based.

In addition to identifying and managing risks and vulnerabilities, HIPAA-regulated entities must ensure that appropriate cybersecurity measures are implemented, including access controls and authentication to restrict access to ePHI to authorized users only. Audit controls must be implemented to record and examine activity in information systems, and logs of information systems activity need to be regularly monitored. Encryption should be implemented to protect ePHI at rest and in transit, and an incident response plan must be developed, implemented, and maintained to ensure a fast response in the event of a successful intrusion. OCR also reminds regulated entities to ensure that workforce members are provided with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Assured Imaging Affiliated Covered Entities – $375,000 HIPAA Penalty

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed. OCR determined that there had been an impermissible disclosure of the ePHI of 244,813 individuals, and that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. OCR imposed a $375,000 financial penalty to resolve the alleged HIPAA violations, and the settlement agreement includes a comprehensive corrective action plan. Assured Imaging will be monitored for compliance with the corrective action plan for two years.

Regional Women’s Health Group, dba Axia Women’s Health – $320,000 HIPAA Penalty

Regional Women’s Health Group, which does business as Axia Women’s Health and provides women’s healthcare services to patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported a ransomware-related data breach to OCR in December 2020. The ePHI of 37,989 individuals stored in its electronic medical record database was exposed or stolen in the incident, including names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications.

OCR determined that Axia Women’s Health had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and imposed a $320,000 financial penalty. Axia Women’s Health opted to settle the alleged violation informally and agreed to implement a comprehensive corrective action plan and will be monitored for compliance with that plan for two years. In addition to conducting a risk analysis, implementing a risk management plan, and providing training to the workforce, Axia Women’s Health is required to implement a process for evaluating environmental and operational changes that affect the security of ePHI, suggesting OCR found potential noncompliance in this area, in addition to the risk analysis failure.

Star Group, L.P. Health Benefits Plan – $245,000 HIPAA Penalty

Star Group, L.P. Health Benefits Plan (SG Health Plan), the self-funded employee benefits plan of a Connecticut-based energy provider, reported a ransomware attack to OCR in October 2021. The forensic investigation determined that the ransomware group exfiltrated files containing the ePHI of 9,316 of its plan members. Data stolen in the attack included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information.

OCR’s investigation determined that SG Health Plan had failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to ePHI, resulting in an impermissible disclosure of the ePHI of 9,316 individuals. OCR resolved the alleged HIPAA violations with a $245,000 financial penalty, and SG Health Plan agreed to adopt a corrective action plan to address the alleged HIPAA violations. SG Health Plan will be monitored for compliance with the plan for 2 years.

Consociate, Inc., dba Consociate Health – $225,000 HIPAA Penalty

Consociate, Inc., doing business as Consociate Health, a third-party administrator of employee-sponsored benefit programs and business associate of health plans, discovered on January 14, 2021, that data in its information systems had been encrypted in a ransomware attack. The forensic investigation determined that its network had first been compromised 6 months previously as a result of a phishing attack.

The threat actor gained access to a server containing the ePHI of 136,539 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card/bank account numbers, and diagnoses or conditions. OCR determined that Consociate Health failed to conduct an accurate and thorough risk analysis and resolved the alleged HIPAA violation with a $225,000 financial penalty. Consociate Health agreed to adopt a corrective action plan to address the alleged HIPAA violation and will be monitored for compliance with the plan for 2 years.

The post OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks appeared first on The HIPAA Journal.

Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data

Posted by Steve Alder

Tempus AI, a publicly traded healthcare artificial intelligence company, is facing multiple class action lawsuits over the alleged unauthorized collection and disclosure of genetic testing results, which were derived from genetic testing by Ambry Genetics Corporation (Ambry Genetics).

Ambry Genetics offers comprehensive genetic testing services, including screening and diagnosis of inherited and non-inherited diseases. Tempus AI was founded in 2015 and builds tech solutions around clinical care and research products. In February 2025, Tempus AI acquired Ambry Genetics for $600 million, and as a condition of the acquisition, Ambry Genetics was required to disclose its vast database of genetic data to Tempus AI. The database contained the genetic information of hundreds of thousands of individuals.

Tempus AI used Ambry Genetics’ genetic database to train its AI models. Tempus AI had signed agreements with more than 70 companies, including large and mid-sized pharmaceutical firms such as AstraZeneca, Bristol Myers Squibb, Pfizer, and GlaxoSmithKline, and biotechnology firms such as Incyte, Servier, Aspera Biomedicines, and Whitehawk Therapeutics. Genetic data derived from Ambry Genetics testing services was provided to those clients under those agreements.

Several class action lawsuits were filed against Tempus AI over the use of genetic data to train the AI models and the subsequent disclosures of genetic data. The lawsuits were consolidated into a single complaint – Farrier et al v. Tempus AI, Inc. – on April 15, 2026, in the U.S. District Court for the Northern District of Illinois. The lawsuit alleges that Tempus AI violated the Illinois Genetic Information Privacy Act (GIPA) and other state statutes by compelling Ambry Genetics to disclose the genetic data collected through its testing services and violating the same laws by disclosing the genetic data through its agreements with third-party partners. The lawsuit claims that Tempus AI has profited enormously from selling genetic data without the knowledge or written consent of the data subjects. The lawsuit alleges that the class members’ genetic data was disclosed to those clients in deals totaling $1.1 billion.

Tempus AI claims to have a clinical and molecular data library consisting of 45 million de-identified patient records, including 8.5 million clinical records, 2 million medical images, and 1 million matched clinical-genomic records. The lawsuit alleges that Tempus AI and Ambry Genetics misled the public by claiming that they only disclose de-identified genetic information, when that is not the case. Further, the lawsuit claims that genetic information “cannot be deidentified because such data serves as an inherently unique biomarker,” and like DNA, the information is inherently identifiable.

The 21-count lawsuit asserts claims for negligence, unjust enrichment, fraudulent concealment, Conversion, invasion of privacy-intrusion upon seclusion, breach of contract, breach of implied contract, breach of fiduciary duty, and violations of consumer and data protection laws, deceptive trade practices laws in California, Florida, Georgia, Illinois, Michigan, New York, and West Virginia.

The plaintiffs seek a jury trial and damages, injunctive relief, and any other remedies that the Court deems appropriate to redress Tempus AI’s alleged unlawful and unauthorized data collection and disclosures, including an order from the court compelling Tempus AI to cease sharing individuals’ genetic data without first providing the data subjects with proper notice and obtaining their written consent.

The post Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data appeared first on The HIPAA Journal.

Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M

Posted by Steve Alder

A class action lawsuit filed against Absolute Dental Group, LLC, and Judge Consulting, Inc., over a 2025 data breach has been settled for $3,300,000. Absolute Dental is a Nevada-based dental care provider, and Judge Consulting is a provider of technology consulting, staffing solutions, and corporate training services. Absolute Dental contracted with Judge Consulting as its managed services provider and was responsible for the daily management and operations of Absolute Dental’s IT systems.

Absolute Dental identified suspicious activity within its network on February 26, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between February 19, 2025, and March 5, 2025. Access was gained through an account associated with Judge Consulting. The hackers had access to names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and other sensitive data. The data breach was one of the largest of the year, affecting 1,223,635 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Jordan et al. v. Absolute Dental Group, LLC, et al., – in the U.S. District Court for the District of Nevada. The lawsuit alleged that the defendants failed to adequately secure patient data, failed to properly monitor their systems for intrusions, and failed to provide timely notice to the victims of the breach. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary, breach of confidence, invasion of privacy, violations of the Nevada Privacy of Information Collected on the Internet From Consumers Act, and declaratory and injunctive relief.

Following mediation, the plaintiffs and the defendants agreed to a settlement that was acceptable to all parties, with no admission of wrongdoing, fault, or liability by the defendants. A $3,300,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the five class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. Residents of California at the time of the data breach also qualify for an additional cash payment. The deadline for objection to and exclusion from the settlement is June 9, 2026. Claims must be submitted by June 18, 2026, and the final approval hearing has been scheduled for July 30, 2026.

The post Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M appeared first on The HIPAA Journal.