$3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute

Posted by Steve Alder

Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026.

The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information.

The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 545,491 individuals. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute – in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga.

According to the lawsuit, approximately 460,000 individuals had their private information exposed or stolen in the incident, including 287,000 individuals who had their Social Security numbers exposed. The plaintiffs alleged that Chattanooga Heart Institute negligently maintained patient data and had not implemented appropriate safeguards to prevent unauthorized access, claims strenuously denied by the Chattanooga Heart Institute. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, bailment, breach of fiduciary duty, invasion of privacy, and declaratory and injunctive relief.

Chattanooga Heart Institute sought to have the lawsuit dismissed; however, the request was denied in part, and the lawsuit was allowed to proceed. During discovery, the parties began exploring the possibility of an early resolution, and following mediation, agreed upon the material terms of a settlement. The settlement has now been finalized, with no admission of wrongdoing or liability by the Chattanooga Heart Institute. The defendant will establish a $3,750,000 settlement fund, which will be split into two separate funds – a non-revisionary $2,000,000 fund for the Social Security number subclass and up to $1,750,000 fund for the total class.

All class members may claim two years of credit monitoring services, valued at approximately $120 per year. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,500 per class member. A cash payment may also be claimed by members of the Social Security number settlement class. The cash payments will be paid pro rata after the settlement administration costs, a share of the attorneys’ fees and expenses, and service awards for the class representatives have been deducted. The attorneys’ fees and costs will be divided between the Social Security number class (53%) and the total class fund (47%). The deadline for submitting a claim is July 13, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 12, 2026.

The post $3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute appeared first on The HIPAA Journal.

Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M

Posted by Steve Alder

Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals.

IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class.

The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. A further seven lawsuits were filed by other plaintiffs, which were consolidated into a single complaint because the lawsuits had overlapping claims. The consolidated class action lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant denied and continues to deny all claims and contentions in the lawsuit, including all claims of fault, wrongdoing, and liability. Following mediation, the material terms of a settlement were agreed upon to bring the litigation to an end and avoid the costs and distraction of protracted litigation and the uncertainty of a trial. The settlement has now been finalized and granted preliminary approval from the court. The final fairness hearing has been scheduled for July 1, 2026.

The defendant has agreed to establish a $4 million settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards from the class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members. Class members are entitled to two years of medical data monitoring, reimbursement of out-of-pocket losses due to the data breach, and a pro rata cash payment. Class members may claim reimbursement of up to $5,000 in documented, unreimbursed losses and the cash payments are estimated to be $50 per class member, although the cash payments may be higher or lower depending on the number of claims received. The deadline for submitting a claim is July 1, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 1, 2026.

The post Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M appeared first on The HIPAA Journal.

Two Senior Care Providers Affected by Ransomware Attacks

Posted by Steve Alder

Two providers of senior services have recently disclosed data security incidents. Windward Life Care in California and Legend Senior Care in Kansas experienced data breaches in 2025, for which ransomware groups claimed responsibility and proceeded to leak the stolen data.

Windward Life Care, California

Buena Vista Management Services, LLC, doing business as Windward Life Care, a San Diego, CA-based provider of aging life care management and home health care services to seniors and disabled adults, has started notifying individuals about a December 2025 data security incident. According to the breach notice, suspicious activity was identified within its computer network on December 8, 2025, and the forensic investigation determined that an unauthorized third party gained access to the network earlier that day.

The compromised parts of the network were reviewed and found to contain files containing personal and protected health information. The review of those files was completed on April 6, 2026, and notification letters were mailed to the affected individuals on April 10, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Information potentially compromised in the incident varies from individual to individual, and may include names in combination with addresses, email addresses, personal identification numbers, Social Security numbers, driver’s license numbers, taxpayer identification numbers, passport information, patient identification numbers, financial account numbers, debit/credit card numbers, handwriting or electronic signatures, medical information, health insurance information, usernames, and other account holder identifying information and access information.

While Windward Life Care did not describe the incident as a ransomware attack, a ransomware group has claimed responsibility for the attack. Despite the incident being detected on the same day as its network was breached, Sinobi claims to have encrypted files and exfiltrated 25 gigabytes of data from the network. Windward Life Care was added to the Sinobi data leak site on January 5, 2026, along with a threat to publish the stolen data. Sinobi proceeded to leak the stolen data when the ransom was not paid. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Legend Senior Living, Kansas

Legend Senior Living, LLC, a Wichita, Kansas-based senior living community, has recently notified state attorneys general about a data security incident discovered on or around August 15, 2025. The forensic investigation confirmed unauthorized access to its computer systems between July 27, 2025, and August 15, 2025, during which time, files containing personal and protected health information may have been viewed or acquired.

Legend Senior Living said it promptly initiated a data review to determine the extent of the data breach. The review was preliminarily completed on March 12, 2026, and after verifying the findings and obtaining contact information, notification letters started to be mailed to the affected individuals on April 10, 2026. Data potentially compromised in the incident included names, Social Security numbers, driver’s license numbers/state ID numbers, passport information, financial account information, medical information, and health insurance information. The affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Workdleaks threat group claimed responsibility for the attack and added Legend Senior Living to its dark web data leak site in September 2025. Worldleaks proceeded to leak the stolen data, indicating the ransom was not paid. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 5,006 Texas residents were affected.

The post Two Senior Care Providers Affected by Ransomware Attacks appeared first on The HIPAA Journal.

HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks

Posted by Steve Alder

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has issued a guidance document for healthcare organizations on managing third-party AI and AI-related supply chain risks. Healthcare organizations are increasingly reliant on AI-powered third-party tools and services, such as natural language processing engines embedded in electronic health records and AI-powered remote monitoring devices. These products provide critical functions for healthcare organizations, yet they introduce complex cybersecurity challenges that traditional risk management tools and models struggle to address.

Managing risk can be difficult, as AI tools are provided by third-party vendors whose security postures, governance practices, and model integrity are difficult to verify. Further, healthcare organizations often lack visibility into the full scope of the AI components incorporated into third-party products and services, which are often sourced through layered supply chains, including subcontractors, offshore development, and open source assets, explain HSCC co-leads Ed Gaudet, Censinet, and Samantha Jacques, McLaren Health.

The HSCC Cybersecurity Working Group developed the 109-page guide – Health Industry Third Party AI Risk and Supply Chain Transparency Guide – to help healthcare organizations understand and manage third-party AI supply chain risks. The guide draws from established cybersecurity frameworks such as the NIST AI Risk Management Framework and the joint HSCC-HHS Health Industry Cybersecurity Practices (HICP), and adapts cybersecurity best practices to reflect the modern realities of AI supply chains in healthcare. The guide has been developed to meet the needs of organizations of all sizes, regardless of their level of AI adoption. The guide can be followed in its entirety, or organizations can adopt the parts that work for their organization. The guide will help them to define accountability expectations and drive performance standards across their extended AI ecosystem.

The guide provides risk managers, compliance teams, and procurement officers with scalable tools to identify and manage AI-specific risks such as hidden dependencies and cascading failure points, and address the growing gaps in discovery and disclosure processes that make AI supply chain risk so challenging to manage. HSCC encourages healthcare organizations to distribute the guidance to senior business and technical leaders and their teams, recommending that they incorporate the best practices in the guide and evaluate their own third-party and supply chain risk management practices against the best practices outlined in the document. In addition to the guide, HSCC has published a living AI Cyber Glossary reference document for establishing consistent governance-ready definitions for artificial intelligence terminology for the healthcare sector. The AI Cyber Glossary is intended to serve as the terminological foundation for all current and future HSCC AI Task Group guidance materials.

The post HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks appeared first on The HIPAA Journal.