Settlements Agreed to Resolve Two Class Action Healthcare Data Breach Lawsuits

Posted by Steve Alder

Settlements have received preliminary approval from the courts to resolve class action data breach lawsuits against Dove Healthcare Management Services and Blackstone Valley Community Health Care over the exposure of plaintiffs’ private information in 2023 and 2024 hacking incidents.

Dove Healthcare Management Services Data Breach Settlement

Dove Healthcare Management Services, a provider of nursing and rehabilitation care, assisted living, and palliative care services, has agreed to a settlement to resolve litigation over a July 2024 cyberattack that exposed the private information of patients and employees.

Cybercriminals breached its information systems on or around July 6, 2024, exposing names, dates of birth, Social Security numbers, driver’s license numbers, full face photographs, health information, and health insurance information. The affected individuals began receiving notifications about the incident on March 18, 2025. The first class action lawsuit was filed on March 26, 2025, followed by several similar lawsuits. The complaints were consolidated into a single action in the Circuit Court of Eau Claire County, Wisconsin.

The consolidated lawsuit – Miranda Meredith, et al. v. Dove Healthcare Management Services, LLC – alleged that the defendant was to blame for the intrusion and data exposure and could have prevented it if industry-standard cybersecurity measures had been implemented. The defendant denies all claims in the lawsuit, including claims of wrongdoing, fault, and liability. After several months, all parties agreed on the material terms of a settlement to bring the litigation to an end, with no admission of wrongdoing or liability by the defendant. The settlement has now been finalized and has received preliminary approval from the court.

Settlement Benefits:

Two years of complimentary credit monitoring and identity theft protection services, plus one of the following cash payments:

  • Reimbursement of documented, unreimbursed losses up to a maximum of $3,000 per class member, which may include up to three hours of lost time at $20 per hour, or
  • A pro rata alternative cash payment, estimated to be approximately $50

The cash benefits are subject to a $150,000 cap. The alternative cash payments will be paid from the remainder of the $150,000 fund after claims have been paid, and are subject to a pro rata decrease, depending on the number of claims received.

In addition to those benefits, the defendant has agreed to make cybersecurity enhancements, the cost of which will be paid by the defendant in addition to the settlement costs. The objection and exclusion deadline is June 22, 2026. The deadline for submitting a claim is July 7, 2026, and the final fairness hearing has been scheduled for July 20, 2026.

Blackstone Valley Community Health Care Data Breach Settlement

Blackstone Valley Community Health Care, a federally funded community health center in Rhode Island, has settled a class action lawsuit filed by plaintiff Alba Peralta Perez, who was affected by a 2023 data incident. The defendant identified suspicious activity within its network on November 11, 2023, and confirmed that an unauthorized third party had access to patients’ names and Social Security numbers.

The lawsuit – Perez v. Blackstone Valley Community Health Care, Inc. – was filed in the District Court for the District of Rhode Island. After being briefed on the defendant’s motion to dismiss, the federal action was voluntarily dismissed by the plaintiff without prejudice due to questions over the federal court’s jurisdiction. The action was subsequently refiled in the Superior Court of Providence County, Rhode Island. All parties agreed to settle the lawsuit to avoid the costs and risks associated with a trial, with no admission of wrongdoing or liability by the defendant.

Settlement Benefits:

Class members are entitled to enroll in three years of credit monitoring services and may also claim one of the following two cash benefits, the cap for which is set at $525,000. Should that cap be exceeded, claims will be paid pro rata.

  • Reimbursement for documented ordinary expenses
  • Reimbursement for documented extraordinary expenses (losses from identity theft or fraud).
  • Reimbursement for lost time – Up to four hours at $20 per hour

The objection, exclusion, and claims deadline is June 1, 2026. The final fairness hearing has been scheduled for June 23, 2026.

The post Settlements Agreed to Resolve Two Class Action Healthcare Data Breach Lawsuits appeared first on The HIPAA Journal.

AI Analysis Identifies 38 Flaws in OpenEMR Platform

Posted by Steve Alder

An automated, AI-driven analysis of the most widely used electronic medical records platform uncovered 38 previously unknown vulnerabilities, including two critical flaws with maximum CVSS severity scores of 10.0. The vulnerabilities were identified as part of a collaboration between AISLE, an autonomous, AI-native application security platform, and OpenEMR, an open source and U.S. government-certified platform, the purpose of which was to identify and remediate critical vulnerabilities in the platform before they could be exploited by malicious actors.

OpenEMR is used by more than 100,000 healthcare providers worldwide, and the platform serves more than 200 million patients globally. OpenEMR is free open source software with no licensing fees and relatively low operating costs, making it a popular choice for under-resourced healthcare providers. The platform is widely used in the United States.

The analysis by AISLE resulted in 39 GitHub Security Advisory (GHSA) vulnerabilities in Q1, 2026, including critical, high, and moderate severity vulnerabilities, with 38 of the 39 vulnerabilities receiving CVE designations. The two most serious vulnerabilities could potentially have been exploited to access and rewrite patient and provider data, compromise the full database, and achieve remote code execution on the server, allowing ePHI to be exfiltrated at scale. One of the maximum severity flaws could be exploited by a remote attacker with no authentication on any Internet-reachable OpenEMR instance.

The vulnerabilities identified by AISLE accounted for more than half of all OpenEMR Security vulnerabilities published on GitHub in Q1, 2026. “These disclosures reflect the growing threats that healthcare institutions face in the age of AI,” said Stanislav Fort, co-founder and chief scientist at AISLE. “Because human lives and identities are at stake, few issues are as critical as ensuring that medical codebases are secure. AISLE’s collaboration with OpenEMR shows that AI-driven analysis can help dedicated, lean teams defend vital systems and remain compliant.”

Threat actors are increasingly using AI to analyze code and identify exploitable vulnerabilities, so it is vital for defenders to also use AI to accelerate the discovery and remediation of vulnerabilities. Through the partnership with AISLE, the OpenEMR maintainers were able to fix the vulnerabilities before they could be exploited and have now begun a partnership with AISLE to secure the OpenEMR for years to come.

AISLE generated a repository-native fix proposal OpenEMR’s own abstractions, authorization patterns, and sanitization helpers for each of the 38 CVEs. AISLE produced the fix for one of the critical vulnerabilities, and for other critical flaws, OpenEMR maintainers adopted AISLE’s proposed remediation into the final fix. The OpenEMR maintainers now have access to AISLE’s AI-native AppSec platform, which allows them to automatically detect, triage, and fix software vulnerabilities. OpenEMR can now focus on hardening defenses without having to employ additional team members. In addition to using the platform to identify vulnerabilities in production code, OpenEMR is using the AISLE vulnerability analyzer to analyze code and identify security issues before they reach production.

The post AI Analysis Identifies 38 Flaws in OpenEMR Platform appeared first on The HIPAA Journal.