Three Healthcare Providers Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Settlements have received preliminary approval from the courts to resolve class action lawsuits against Northeast Rehabilitation Hospital Network, American Addiction Centers, and Midwest Physician Administrative Services (Duly Health and Care) over alleged impermissible disclosures of patients’ protected health information.

Northeast Rehabilitation Hospital Network Data Breach Settlement

Northeast Rehabilitation Hospital Network in New Hampshire has agreed to a settlement to resolve a class action data breach lawsuit stemming from a 2024 cyberattack by the Hunters International cyber threat group. The cyberattack was detected on or around May 22, 2024, and the lawsuit states that the private information of 148,515 individuals was compromised in the incident.

The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 136,724 individuals. Data compromised in the incident included names, medical histories, treatment information, patient account numbers, billing/claims information, and health insurance information. Patients were notified about the data breach on or around January 6, 2025.

The first lawsuit over the data breach was filed in January 2025, followed by a further three class action complaints. The lawsuits were consolidated – Minicucci et al. v. Northeast Rehabilitation Hospital Network – in the Rockingham County Superior Court in the State of New Hampshire.

Northeast Rehabilitation Hospital Network denies the claims in the lawsuit but chose to settle the litigation with no admission of liability or wrongdoing. Under the terms of the settlement, class members may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a one-time cash payment of $75.00. The deadline for objection, opting out, and submitting a claim is February 17, 2026. The final fairness hearing has been scheduled for March 2, 2026.

American Addiction Centers Data Breach Settlement

American Addiction Centers has agreed to settle a class action lawsuit over a September 26, 2024, data incident involving unauthorized access to the personal information of 423,065 individuals, including the protected health information of 410,747 current and former patients. Data exposed or stolen in the Rhysida ransomware attack included names, addresses, phone numbers, dates of birth, medical record numbers, other identifiers, Social Security numbers, and health insurance information.

Twelve class action lawsuits were filed in response to the data breach, which were consolidated in the United States District Court for the Middle District of Tennessee, as they had overlapping claims. The consolidated lawsuit In re American Addiction Centers, Inc. Data Breach Litigation – alleged that the ransomware attack and data breach occurred due to the failure of American Addiction Centers to implement reasonable and appropriate data security measures. American Addiction Centers denies all claims of wrongdoing, fault, and liability, but agreed to settle the litigation to avoid further legal costs, expenses, and the distraction, burden, and disruption to business operations from continuing with the litigation.

American Addiction Centers has agreed to establish a $2,750,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the twelve plaintiffs, and benefits for the class members. Class members may claim two years of credit monitoring services, reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and a pro rata cash payment, expected to be approximately $50 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection and opting out is March 6, 2026. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 20, 2026.

Midwest Physician Administrative Services (Duly Health and Care) Pixel Settlement

A settlement has been agreed to resolve a class action lawsuit against Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care, over its use of Meta Pixel tracking code on its website, dulyhealthandvcare.com. The plaintiffs alleged that the tracking code transmitted personal and protected health information to Meta Platforms without website users’ knowledge or consent.

The lawsuit – Mayer v. Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care – filed in the United States District Court, Northern District of Illinois alleged that Duly Health and Care encourages patients to use the website to book medical appointments, locate physicians and treatment facilities, communicate medical symptoms, search medical conditions and treatment options, and sign up for events and classes. A patient portal is also maintained for communicating with clinicians, accessing medical records, booking appointments, obtaining test results, and more.

While users of the website and patient portal believed that they were communicating only with Duly Health and Care, without their knowledge, data was being collected and transmitted to Meta Platforms. According to the lawsuit, “By installing the Meta Pixel, Defendant effectively planted a bug on Plaintiffs’ and Class Members’ web browsers and compelled them to unknowingly disclose their private, sensitive and confidential health-related communications with Defendant to Meta.”

The lawsuit asserted eight claims, one for violation of the federal Electronic Communications Privacy Act (ECPA), and seven claims under state law: violation of the Illinois Eavesdropping Statute; violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; violation of the Illinois Uniform Deceptive Trade Practices Act; breach of confidence; invasion of privacy—intrusion upon seclusion; breach of implied contract; and negligence. Duly Health and Care denies all wrongdoing and sought to have the lawsuit dismissed for failure to state a claim. The motion to dismiss was partially successful and resulted in six of the eight claims being dismissed; however, the lawsuit was allowed to proceed with the claims of negligence and violation of the ECPA.

A settlement was agreed upon following mediation and the commencement of discovery. Duly Health and Care has agreed to establish a settlement fund of $1,880,000, from which attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives will be deducted. The remainder of the settlement will be paid pro rata to individuals who submit a claim. Claims will be accepted from patients who logged into the authenticated portion of the website between July 24, 2020, and April 10, 2023. The deadline for opting out and objection is March 2, 2026. The deadline for filing a claim is March 2, 2026, and the final fairness hearing has been scheduled for April 7, 2026.

The post Three Healthcare Providers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Therapy Practice Management Software

Posted by Steve Alder

Therapy practice management software is an administrative and clinical operations system used by behavioral health providers to manage scheduling, documentation, communications, telehealth, and billing while maintaining safeguards for protected health information under the HIPAA Privacy Rule and HIPAA Security Rule. Therapy practice management software supports end to end operational workflows for behavioral health services. Common functions include appointment scheduling, intake and consent handling, clinical documentation, patient communications, telehealth delivery, billing and payments, and reporting. When the software creates, receives, maintains, or transmits electronic protected health information, the vendor role and contract terms determine whether the vendor is a Business Associate and whether a Business Associate Agreement is required.

HIPAA Compliance for Therapy Practice Management Software

HIPAA compliance obligations apply when electronic protected health information is handled by a HIPAA Covered Entity or by a Business Associate performing functions or activities on behalf of a HIPAA Covered Entity. A therapy practice using a platform for telehealth visits, clinical notes, messaging, or billing remains responsible for implementing administrative, physical, and technical safeguards required by the HIPAA Security Rule and for limiting uses and disclosures under the HIPAA Privacy Rule. Vendor services that involve access to electronic protected health information typically require a Business Associate Agreement that defines permitted uses and disclosures, safeguard obligations, reporting obligations, and downstream subcontractor requirements.

Therapy Practice Management Software Features

The most important features required in therapy practice management software are:

  • HIPAA-compliant telehealth supports encrypted audiovisual sessions with access controls and audit logging.

  • Patient portal provides authenticated access to documents, appointments, and clinical forms.

  • Secure patient communications supports encrypted messaging with identity verification and access controls.

  • Large template library for charting supports standardized documentation and consistent record content.

  • Automated appointment reminders supports configurable reminders with controlled content to limit disclosures.

  • Integrated billing supports charge capture, payment processing controls, and claims workflow alignment.

Recommendations for Choosing Therapy Practice Management Software

Therapy practice management software should be implemented with documented workflows and configurations that reduce unnecessary movement of electronic protected health information and support compliance with the HIPAA Privacy Rule and HIPAA Security Rule. Scheduling, appointment reminders, and billing functions should be configured so that protected health information remains inside controlled systems rather than being copied into untracked email, spreadsheets, or consumer messaging. Documentation workflows should be standardized through controlled templates and structured forms so that clinical records remain consistent across providers and support supervisory review without requiring ad hoc document handling. Patient interactions should be routed through a patient portal and secure messaging functions, with staff instructed not to substitute consumer email or consumer text messaging for routine communications that involve protected health information.

Vendor evaluation should start with determining whether the platform vendor creates, receives, maintains, or transmits electronic protected health information on behalf of the therapy practice. When the vendor performs Business Associate functions, a Business Associate Agreement should be executed before electronic protected health information is entered into the platform. Contract review should confirm permitted uses and disclosures, breach reporting timeframes, subcontractor obligations, and requirements for data return or destruction upon termination. Contract terms should also restrict data aggregation or secondary use that falls outside the permitted purposes. Due diligence records should be retained to document procurement governance and support audit readiness.

User access controls should be designed around unique user identification and role based access that matches job functions. Each workforce member should have an individual account, and shared accounts should be prohibited. Permissions should be configured so clinicians, supervisors, billing staff, and administrative staff can access only the functions and records necessary for assigned duties under the HIPAA Minimum Necessary Rule. Provisioning procedures should document approvals, initial role assignment, and access changes, and deprovisioning procedures should remove access promptly when a user’s role changes or employment ends.

Authentication and technical safeguards should be configured to support defensible access management and activity monitoring. Password policies should be enforced through system settings where possible, and multifactor authentication should be enabled and required for administrative roles when available. Encryption should protect electronic protected health information both in transit and at rest, with responsibilities for key management and any customer controlled encryption options documented. Audit controls should be enabled to capture user access, record activity, and administrative configuration changes, and the organization should maintain procedures for retaining and exporting logs for investigations. Integrity controls should support versioning or change history for notes and forms so that record alterations can be identified and reviewed.

Telehealth workflows should include controls that restrict session access and limit opportunities for unauthorized entry. Meeting links and session settings should be configured to require authentication when supported, and waiting room or admission controls should be used to manage participant entry. Features that enable recording or sharing should be restricted unless explicitly approved by policy, and patient identity verification procedures should be defined for telehealth encounters and portal access. Secure messaging should be configured with retention settings aligned to record retention policies, and operational procedures should address message review, response expectations, and escalation for inappropriate disclosures. Appointment reminders should be configured to limit message content and avoid diagnosis or treatment details unless a patient authorization supports the disclosure and the practice has defined controls for that use.

Billing and payment workflows should be configured to support separation of duties when operationally feasible and to preserve an audit trail. Access to billing functions should be limited to staff with assigned billing responsibilities, and transaction logging should be enabled for payments, adjustments, and refunds. Reconciliation procedures should align posted transactions with bank settlements and outstanding balances, and claims workflows should document corrections, resubmissions, and adjustments. When a payment processor or clearinghouse handles electronic protected health information on behalf of the practice, the applicable Business Associate relationships should be identified, documented, and covered by executed agreements where required.

Deployment should follow a controlled implementation process that documents baseline security settings and validates protections before production use. Configuration baselines should address roles, permissions, authentication, encryption settings, and audit logging. Workforce training should cover portal use, secure messaging, telehealth procedures, minimum necessary access practices, and incident reporting steps. Data migration should include validation of record completeness and verification that access controls apply to migrated content, with migration tools and temporary access limited to authorized personnel and time bounded where possible. A go live checklist should document security settings, user provisioning readiness, backup procedures, and continuity arrangements, with a post deployment review process for access validation and audit log procedures.

Recommended Therapy Practice Management Software

OptiMantra is the best option to consider when a therapy practice needs a single platform to manage the full patient lifecycle across scheduling, clinical encounters, and ongoing follow-up activities. Selection can be supported by verifying that the platform supports end to end workflow control from initial appointment booking through visit delivery and post visit communications, with configurable intake processes, built-in HIPAA-compliant telehealth, documentation support, and continuity tools that keep patient interactions within a governed environment.

 

The post Therapy Practice Management Software appeared first on The HIPAA Journal.

83,000 Clients Affected by Cyberattack on Ohio Counseling Center

Posted by Steve Alder

The Counseling Center of Wayne and Holmes Counties has experienced a cyberattack affecting 83,350 individuals. Data breaches have also been announced by Neurological Associates of Washington and Pecan Tree Dental.

Counseling Center of Wayne and Holmes Counties

The Counseling Center of Wayne and Holmes Counties (CCWHC) in Wooster, Ohio, has experienced a data security incident affecting 83,354 individuals. On March 3, 2025, CCWHC’s third-party service provider notified CCWHC about a cybersecurity incident, which caused disruption to its IT systems. An investigation was launched, and steps were taken to contain and remediate the incident. All impacted systems and accounts were removed, credentials were reset, and leading data privacy and security experts were engaged to assist with the investigation.

The forensic investigation determined that an unauthorized third party gained access to a single CCWHC server on March 2, 2025, and exfiltrated files on March 3, 2025. Based on the initial findings of the investigation, the general types of information compromised in the incident include names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical condition information, treatment provider names, medical record numbers, treatment cost information, diagnoses, and treatment information.

CCWHC has worked with cybersecurity experts and privacy professionals to review and further strengthen system security. The file review was completed on December 9, 2025, and notification letters have now been mailed to the affected individuals.

Neurological Associates of Washington

Neurological Associates of Washington (NAW) has recently confirmed that the personal and protected health information of 13,500 individuals was stolen in a December 2025 cyberattack. It is now rare for a healthcare provider to disclose details about a hacking incident in its data breach notice; however, NAW has bucked that trend and disclosed that the Dragonforce ransomware group was behind the attack. NAW also confirmed that sensitive patient data was stolen and published on the dark web by Dragonforce.

NAW immediately alerted the Federal Bureau of Investigation (FBI), which investigated the incident and confirmed that the stolen data was published on the dark web on December 28, 2025. The FBI is conducting further investigations into the attack, but has confirmed that the data compromised in the incident related to patients from 2019 to 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, disability codes, medical information, and other types of data. New patients from January 2025 onwards had their data added to a new cloud-based records system, which was not accessed in the attack.

NAW said it has implemented a deep reset and restructuring of its IT system in response to the incident and confirmed that the affected database is now stored in an offline environment. At the time of issuing notifications, NAW said it was unaware of any actual or attempted misuse of the stolen data. As a precaution against identity theft and fraud, the affected individuals have been offered 12 months of complimentary credit monitoring services.

Pecan Tree Dental

Pecan Tree Dental, PLLC, in Grand Prairie, Texas, has confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. The website notice is light on detail, only stating that steps have been taken to secure its systems, and cybersecurity and legal professionals have been engaged to assist with the investigation. At the time of uploading the notice to its website, it was unaware of any unauthorized access to patient information or data misuse. The OCR breach portal indicates that up to 13,300 individuals had their protected health information exposed in the incident.

The Texas attorney general was informed that data compromised in the incident includes names, addresses, dates of birth, medical information, and health information. This appears to have been a ransomware attack by the Sinobi threat group, which added Pecan Tree Dental to its dark web data leak site on January 11, 2026. Sinobi claims to have exfiltrated 250 Gb of data in the attack and has leaked the stolen data.

The post 83,000 Clients Affected by Cyberattack on Ohio Counseling Center appeared first on The HIPAA Journal.