Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation

A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.

Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.  The affected individuals were notified about the data breach in  January 2025, 15 months after the breach occurred.

A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.

After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.

Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.

The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack

A settlement has been agreed to resolve a class action lawsuit against the Pinehurst, North Carolina-based molecular, cytology, and pathology service provider Marlboro-Chesterfield Pathology, P.C. The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.

Unauthorized network access was identified on January 16, 2025, and the forensic investigation confirmed that 235,911 individuals had their data compromised in the attack, including their names, dates of birth, Social Security numbers, and protected health information. The affected individuals were notified about the incident on or around May 7, 2025.

A class action lawsuit – Cox v. Marlboro-Chesterfield Pathology, P.C – was filed in the County of Moor Superior Court by plaintiff Cox, individually and on behalf of similarly affected individuals. Plaintiff Cox alleged that her personal and protected health information was in the hands of cybercriminals as a result of the attack, and that the ransomware attack occurred as a result of the failure of Marlboro-Chesterfield Pathology to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network.

Marlboro-Chesterfield Pathology maintains there was no wrongdoing and disagrees with the claims and contentions in the lawsuit, including claims of fault and liability, and plaintiff Cox believes her claims are valid. After arms-length negotiations, and after the parties considered the costs and risks associated with continuing with the litigation, they entered into settlement discussions, and the material terms of a settlement were agreed on November 21, 2025.

The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notice costs, and a service award for the class representative. Attorneys’ fees and costs have been capped at $100,000.

Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. Individuals who had their Social Security numbers compromised in the incident may submit a claim for an alternative cash payment of $10, should they choose not to submit a claim for reimbursement of losses.

All individuals, regardless of whether they submit a claim for reimbursement of losses or the cash payment, are entitled to a one-year membership to a credit monitoring and identity theft protection service, which includes a $1 million identity theft insurance policy. The deadline for objection, opting out, and submitting a claim is August 21, 2026. The final fairness hearing has been scheduled for October 12, 2026.

The post Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack appeared first on The HIPAA Journal.

California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals

Gay & Lesbian Community Services Center of Orange County, California, a provider of mental health, HIV testing, education and outreach, has identified unauthorized access to its network and the exposure of the personal and protected health information of up to 75,532 individuals.

Suspicious network activity was identified on or around December 26, 2025, and third-party cybersecurity experts were engaged to investigate the incident. They confirmed that there had been unauthorized access to the network from December 25 to December 26, 2025, and files containing sensitive information may have been viewed or acquired.

The review of the impacted data was completed on May 6, 2026, when it was confirmed that the following types of information were stored on the compromised parts of the network: full names, dates of birth, Social Security numbers, diagnosis information, prescription information, medical histories and treatment information, medical record numbers, health insurance information, driver’s license numbers, government identification numbers, state identification numbers, passport numbers, taxpayer identification numbers, financial account information, biometric identifiers, financial account information, and payment card information. The types of information involved varied from individual to individual.

Gay & Lesbian Community Services Center of Orange County said it is committed to maintaining the privacy of personal information in its possession and continually evaluates and modifies its security practices to enhance data privacy and security. The affected individuals have been advised to remain vigilant and monitor their account statements and free credit reports for suspicious activity. The website breach notice makes no mention of free credit monitoring or identity theft protection services.

Alta Orthopaedics

Alta Orthopaedics, a Santa Barbara, CA-based orthopedics practice with six locations in Santa Barbara, Santa Maria, Solvang, and Oxnard, has started mailing notification letters to patients affected by a recent security incident.

On March 10, 2026, the practice identified suspicious activity within its computer network. The forensic investigation determined that there had been unauthorized access to certain information on its network between February 3, 2026, and February 6, 2026. The review of the exposed files confirmed that they contained personal and protected health information such as names, addresses, phone numbers, Social Security numbers, driver’s license/state ID numbers, birth dates, billing codes, dates of service, reasons for visits, treatment costs, provider names, diagnoses, treatment information, clinical information, treatment location, medical record numbers, patient account numbers, and health insurance information.

The incident was reported to law enforcement, policies and procedures related to data privacy and security have been reviewed, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified; however, the number of affected individuals has yet to be publicly disclosed.

Lake Region Healthcare

Lake Region Healthcare, a nonprofit rural health system based in Fergus Falls, Minnesota, has notified individuals affected by a recent cybersecurity incident. Unauthorized access to its network was first identified on May 19, 2025. Law enforcement was notified, and an investigation was launched to determine the nature and scope of the unauthorized activity.

No evidence was found to indicate any unauthorized access to electronic medical records; however, files containing patient information may have been viewed or acquired on or around May 19, 2025. It has taken more than a year to review the affected data. That process was completed on June 5, 2026, when it was confirmed that names were exposed, along with one or more of the following: date of birth, Social Security number, medical record number, patient account number, health insurance information, contact information, medical and/or treatment information, government-issued identification, and/or financial information.

Lake Region Healthcare said it is unaware of any actual or attempted misuse of that data; however, as a precaution, the affected individuals have been offered complimentary identity theft protection services. The scale of the breach has yet to be publicly disclosed, although according to notifications to state attorneys general, 294 Texas residents and 20 Massachusetts residents are among the affected individuals.

The post California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals appeared first on The HIPAA Journal.