Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits

Posted by Steve Alder

Goshen Health System and Hancock Health in Indiana have agreed to settle class action lawsuits that alleged patients’ protected health information was disclosed to unauthorized third parties via website tracking technologies.

Goshen Health Hospital Data Breach Settlement

On May 23, 2023, a class action lawsuit – Kaitlin Lamarr v. Goshen Health System, Inc. d/b/a Goshen Health Hospital – was filed in the Elkhart County Superior Court, Indiana, against Goshen Health System, doing business as Goshen Health Hospital, over the use of tracking technologies on its website. The lawsuit alleged that these tools, which included Meta Pixel, disclosed patients’ personally identifiable information to Meta and other unauthorized third parties without patients’ knowledge or permission.

The lawsuit asserted claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act. Goshen Health Hospital denies any wrongdoing, disagrees with the claims and contentions in the lawsuit, and believes that it would have prevailed at summary judgment and/or trial; however, after considering the uncertainty, risks, and expense of proceeding with the litigation, it was more desirable and beneficial to settle the litigation. The plaintiff and class counsel believe that the settlement negotiated with the defendant is reasonable and fair and is in the best interests of the class.

The class consists of individuals who logged into the Goshen Health patient portal between January 1, 2020, and December 31, 2023. Under the terms of the settlement, class members are entitled to submit a claim for a one-off cash payment of $25, and will automatically receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 16, 2025. The deadline for submitting a claim is November 29, 2025.

Hancock Regional Hospital Data Breach Settlement

A similar lawsuit Jennifer Fleece v. Board of Trustees of Hancock Regional Hospital – was filed against Hancock Regional Hospital in the Marion County Superior Court, Indiana, over the use of tracking technologies on its website, which were alleged to have impermissibly disclosed patients’ protected health information to Meta and other third parties without patients’ knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act. Hancock Regional Hospital maintains that there was no wrongdoing and disputes that it committed, or threatened or attempted to commit, any wrongful act, omission, or violation of law or duty alleged in the lawsuit, and while believing it had a good defense against all of the asserted claims, determined that a settlement was the best course of action. The plaintiff and class counsel believe the settlement is fair.

The settlement class consists of individuals who logged into the patient portal between January 1, 2020, and December 31, 2023. Claims may be submitted for a one-off $25 cash payment, and class members who submit a claim will receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services. The final fairness hearing has been scheduled for December 18, 2025, and claims must be submitted by December 1, 2025.

The post Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits appeared first on The HIPAA Journal.

Delta Dental of Virginia Data Breach Affects 146,000 Individuals

Posted by Steve Alder

Delta Dental of Virginia has notified almost 146,000 members about a security incident that may have exposed their protected health information, and Saint Mary’s Home of Erie in Pennsylvania is investigating a network security incident that exposed residents’ sensitive information.

Delta Dental of Virginia

Delta Dental of Virginia, the largest dental benefits carrier in the Commonwealth of Virginia, has notified 145,918 individuals about an April 2025 security incident that exposed some of their personal and protected health information.

Suspicious activity was identified within an employee’s email account on April 23, 2025. Independent cybersecurity experts were engaged to investigate the activity, and unauthorized access to the email account was confirmed. The account was first accessed by an unauthorized third party on March 21, 2025, and access remained possible until the account was secured on April 23, 2025. During that time, certain emails and attachments within the account may have been viewed or acquired.

The account was reviewed, and notification letters started to be mailed to the affected individuals on November 21, 2025. The information potentially stolen included first and last names, Social Security numbers, state or federal government ID numbers, driver’s license numbers, financial information, and protected health information such as medical and health insurance information.

Delta Dental of Virginia has implemented additional safeguards to improve email security, and further security awareness training has been provided to the workforce. Individuals whose Social Security numbers or driver’s license numbers were potentially compromised have been offered complimentary credit monitoring, dark web monitoring, and identity theft protection services for 12 months. Those services include a $1 million identity theft and fraud reimbursement insurance policy. Several law firms have announced that they have opened investigations into potential class action litigation over the data breach.

Saint Mary’s Home of Erie

Saint Mary’s Home of Erie (SMHE), a non-profit continuing care retirement community in Erie, Pennsylvania, has recently announced a data security incident that was identified on August 27, 2025, prior to SMHE being acquired by the Lake Erie College of Osteopathic Medicine (LECOM).

The forensic investigation confirmed that an unauthorized third party had access to its network from August 26, 2025, to August 28, 2025. Immediate action was taken to secure its network to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident. The investigation determined that files and folders on its network may have been accessible to unauthorized individuals. The review of those files is ongoing, and the exact types of data involved and the number of affected individuals have yet to be confirmed.

In the interim, the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of at least 501 individuals. The total will be updated when the review is concluded, and notification letters will be mailed to the affected individuals.

The post Delta Dental of Virginia Data Breach Affects 146,000 Individuals appeared first on The HIPAA Journal.