Pinehurst Radiology Associates has agreed to settle a class action lawsuit over a January 2025 data breach, and Tallahassee Memorial HealthCare has agreed to settle class action litigation over its use of pixels on its website.

Pinehurst Radiology Associates Settlement

Pinehurst Radiology Associates, a medical diagnostic imaging center in Pinehurst, North Carolina, has agreed to settle a class action lawsuit over a January 2025 security incident that affected 8,682 individuals. Pinehurst Radiology Associates identified a cybersecurity incident on January 20, 2025, and determined that patients’ protected health information had been exposed. Data exposed in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, treatment information, medical record numbers, health insurance information, and Medicare/Medicaid numbers. The affected patients were notified on or around May 22, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Superior Court of Moore County, North Carolina – McNeill, et al. v. Pinehurst Radiology Associates, PLLC. The plaintiffs alleged that the data breach resulted from negligence because reasonable and appropriate cybersecurity measures had not been implemented. Pinehurst Radiology Associates denies all claims of wrongdoing, fault, and liability.

All parties explored the possibility of an early settlement, and an agreement on the material terms was reached on September 30, 2025. The final terms of the settlement have been negotiated, and it has received preliminary approval from the court. Pinehurst Radiology Associates has agreed to pay for CyEx Medical Shield Complete medical data monitoring services for 12 months for all class members, which include a $1 million identity theft insurance policy. Claims may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $500 per class member. Losses must have been incurred between January 20, 2025, and April 9, 2026. The deadline for opting out and objection is March 7, 2026. Claims must be submitted by April 9, 2026, and the final fairness hearing has been scheduled for April 6, 2026.

Tallahassee Memorial HealthCare Settlement

Tallahassee Memorial HealthCare has agreed to pay benefits to current and former patients whose personal and protected health information may have been disclosed to third parties, such as Meta Platforms and Google Inc., due to pixels and other tracking and analytics tools on the Tallahassee Memorial HealthCare website.

According to the lawsuit, these tools collected data relating to website use, which may have included personal and protected health information depending on the user’s interactions with the website. The lawsuit claims that these disclosures occurred for marketing and advertising purposes, without the knowledge or consent of website users. The lawsuit claims that the disclosures violated the Florida Security of Communications Act and the Electronic Communications Privacy Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, unjust enrichment, and breach of confidence.

Tallahassee Memorial HealthCare denies all claims of wrongdoing and liability, and all material allegations in the lawsuit, but chose to settle the litigation to avoid the cost and uncertainty of a trial and related appeals. The plaintiffs believe all claims have merit but agreed that the settlement is fair and in the best interests of all class members. Under the terms of the settlement, class members can claim a 24-month membership to CyEx Financial Shield Complete, as well as a cash payment of $17. The final fairness hearing has been scheduled for March 2, 2026.

The post Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Settlements have received preliminary approval from the courts to resolve class action lawsuits against Northeast Rehabilitation Hospital Network, American Addiction Centers, and Midwest Physician Administrative Services (Duly Health and Care) over alleged impermissible disclosures of patients’ protected health information.

Northeast Rehabilitation Hospital Network Data Breach Settlement

Northeast Rehabilitation Hospital Network in New Hampshire has agreed to a settlement to resolve a class action data breach lawsuit stemming from a 2024 cyberattack by the Hunters International cyber threat group. The cyberattack was detected on or around May 22, 2024, and the lawsuit states that the private information of 148,515 individuals was compromised in the incident.

The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 136,724 individuals. Data compromised in the incident included names, medical histories, treatment information, patient account numbers, billing/claims information, and health insurance information. Patients were notified about the data breach on or around January 6, 2025.

The first lawsuit over the data breach was filed in January 2025, followed by a further three class action complaints. The lawsuits were consolidated – Minicucci et al. v. Northeast Rehabilitation Hospital Network – in the Rockingham County Superior Court in the State of New Hampshire.

Northeast Rehabilitation Hospital Network denies the claims in the lawsuit but chose to settle the litigation with no admission of liability or wrongdoing. Under the terms of the settlement, class members may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a one-time cash payment of $75.00. The deadline for objection, opting out, and submitting a claim is February 17, 2026. The final fairness hearing has been scheduled for March 2, 2026.

American Addiction Centers Data Breach Settlement

American Addiction Centers has agreed to settle a class action lawsuit over a September 26, 2024, data incident involving unauthorized access to the personal information of 423,065 individuals, including the protected health information of 410,747 current and former patients. Data exposed or stolen in the Rhysida ransomware attack included names, addresses, phone numbers, dates of birth, medical record numbers, other identifiers, Social Security numbers, and health insurance information.

Twelve class action lawsuits were filed in response to the data breach, which were consolidated in the United States District Court for the Middle District of Tennessee, as they had overlapping claims. The consolidated lawsuit In re American Addiction Centers, Inc. Data Breach Litigation – alleged that the ransomware attack and data breach occurred due to the failure of American Addiction Centers to implement reasonable and appropriate data security measures. American Addiction Centers denies all claims of wrongdoing, fault, and liability, but agreed to settle the litigation to avoid further legal costs, expenses, and the distraction, burden, and disruption to business operations from continuing with the litigation.

American Addiction Centers has agreed to establish a $2,750,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the twelve plaintiffs, and benefits for the class members. Class members may claim two years of credit monitoring services, reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and a pro rata cash payment, expected to be approximately $50 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection and opting out is March 6, 2026. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 20, 2026.

Midwest Physician Administrative Services (Duly Health and Care) Pixel Settlement

A settlement has been agreed to resolve a class action lawsuit against Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care, over its use of Meta Pixel tracking code on its website, dulyhealthandvcare.com. The plaintiffs alleged that the tracking code transmitted personal and protected health information to Meta Platforms without website users’ knowledge or consent.

The lawsuit – Mayer v. Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care – filed in the United States District Court, Northern District of Illinois alleged that Duly Health and Care encourages patients to use the website to book medical appointments, locate physicians and treatment facilities, communicate medical symptoms, search medical conditions and treatment options, and sign up for events and classes. A patient portal is also maintained for communicating with clinicians, accessing medical records, booking appointments, obtaining test results, and more.

While users of the website and patient portal believed that they were communicating only with Duly Health and Care, without their knowledge, data was being collected and transmitted to Meta Platforms. According to the lawsuit, “By installing the Meta Pixel, Defendant effectively planted a bug on Plaintiffs’ and Class Members’ web browsers and compelled them to unknowingly disclose their private, sensitive and confidential health-related communications with Defendant to Meta.”

The lawsuit asserted eight claims, one for violation of the federal Electronic Communications Privacy Act (ECPA), and seven claims under state law: violation of the Illinois Eavesdropping Statute; violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; violation of the Illinois Uniform Deceptive Trade Practices Act; breach of confidence; invasion of privacy—intrusion upon seclusion; breach of implied contract; and negligence. Duly Health and Care denies all wrongdoing and sought to have the lawsuit dismissed for failure to state a claim. The motion to dismiss was partially successful and resulted in six of the eight claims being dismissed; however, the lawsuit was allowed to proceed with the claims of negligence and violation of the ECPA.

A settlement was agreed upon following mediation and the commencement of discovery. Duly Health and Care has agreed to establish a settlement fund of $1,880,000, from which attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives will be deducted. The remainder of the settlement will be paid pro rata to individuals who submit a claim. Claims will be accepted from patients who logged into the authenticated portion of the website between July 24, 2020, and April 10, 2023. The deadline for opting out and objection is March 2, 2026. The deadline for filing a claim is March 2, 2026, and the final fairness hearing has been scheduled for April 7, 2026.

The post Three Healthcare Providers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.