Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation

Posted by Steve Alder

Emergency Medical Services Authority in Oklahoma and Compassion Health Care in North Carolina were sued over cyberattacks and data breaches. Settlements have now been agreed to resolve both class action lawsuits.

Emergency Medical Services Authority Data Breach Settlement

Emergency Medical Services Authority (EMSA), the largest provider of pre-hospital emergency medical care in the state of Oklahoma, has agreed to settle a class action lawsuit stemming from a cyberattack detected on February 13, 2024. EMSA determined that hackers accessed its network between February 10, 2024, and February 13, 2024, and acquired files containing patient and employee data. The data breach affected 611,743 individuals and included names, addresses, dates of birth, dates of service, and  Social Security numbers.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Oklahoma District Court of Oklahoma County – Wade Quick and Laura Lance v Emergency Medical Services Authority. EMSA denies all claims of liability, fault, and wrongdoing, and sought to have the lawsuit dismissed. The court sustained in part and denied in part the motion to dismiss, and the lawsuit proceeded to discovery. A second motion to dismiss was filed for lack of jurisdiction, and after the plaintiffs filed their response, all parties agreed to resolve the lawsuit with a settlement rather than continuing to litigate.

Under the terms of the settlement, EMSA will establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class members, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member.  A claim may also be submitted for compensation for up to four hours of lost time at $15 per hour. While documentation is not required for the lost time claim, class members must sign an attestation that includes a brief description of the lost time. Lost time payments are included in the £3,000 cap per class member.

Class members may also claim two years of single-bureau credit monitoring and identity theft protection services. The deadline for submitting a claim is March 5, 2026. The final fairness hearing has been scheduled for April 5, 2026.

Compassion Health Care Data Breach Settlement

The Yanceyville, North Carolina-based medical practice, Compassion Health Care, has agreed to pay up to $600,000 to settle a class action lawsuit over a breach of the protected health information of 23,600 individuals. A cybersecurity incident was identified on or around March 17, 2025, and the forensic investigation confirmed that an unauthorized third party hacked its systems, and potentially obtained protected health information such as names, addresses, phone numbers, date of births or ages, Social Security numbers, driver’s license numbers, health insurance information, claims information, and clinical/diagnostic information. The affected individuals were notified about the data breach on or around May 16, 2025.

The first class action lawsuit over the data breach was filed on May 23, 2025, followed by a further two lawsuits. An amended complaint was filed in the Caswell County Superior Court for the State of North Carolina on July 2, 2025, adding the additional plaintiffs – Allin v. Compassion Health Care. The lawsuit alleged that the cyberattack occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, breach of confidence, and unjust enrichment.

Shortly after the amended lawsuit was filed, the defendant provided the plaintiffs with informal discovery, including information about the cybersecurity measures implemented prior to the data breach. After arms-length discussions, the material terms of a settlement were agreed upon. The settlement has now been finalized, with no admission of liability or wrongdoing, and the settlement has received preliminary approval from the court. The $600,000 will be used to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach, or class members may claim an alternative cash payment of $40.

The deadline for submitting a claim differs based on CPT ID. Class members with a CPT ID under 20,000 have until February 23, 2026, to submit a claim. Class members with a CPT ID over 20,000 have until May 4, 2026, to submit a claim. The final fairness hearing has been scheduled for May 4, 2026.

The post Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation appeared first on The HIPAA Journal.

Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY

Posted by Steve Alder

A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.

Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.

The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.

There was a surge in activity by the most prolific ransomware group – Qilin – in 2025, which claimed a total of 1,115 disclosed and undisclosed attacks. Qilin was behind two of the most impactful healthcare ransomware attacks of the year – ApolloMD and Covenant Health. The ransomware attack on ApolloMD was detected in May 2025, yet it took until February 2026 to confirm that the protected health information of more than 626,500 patients was compromised.

The attack on Covenant Health also occurred in May 2025. Initial access was gained on May 18, 2025, and, as was the case with the attack on ApolloMD, sensitive data was rapidly identified and exfiltrated. The Covenant Health attack was detected on May 26, 2025, when the affected systems were shut down to contain the incident. Disruption continued into June, and the attack was initially disclosed a month later, although the initial breach report suggested that the protected health information of just 7,864 individuals was compromised in the incident. As the investigation progressed, it became clear that data theft was far more extensive. In December 2025, when the investigation concluded, Covenant Health confirmed that 478,188 patients had been affected.

Akira was the second-most active group, claiming a total of 776 victims in 2025, with the third most active group – Play – accounting for 405 ransomware attacks. Black Fog identified the emergence of large-scale, AI-enabled attacks last year, when a ransomware group hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – the first time that an AI-led ransomware campaign has been identified.

“The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization, or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt,” Dr Darren Williams, Founder and CEO of BlackFog said. “The disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”

The post Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY appeared first on The HIPAA Journal.