Legal News about HIPAA Compliance

Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack

A consolidated class action lawsuit against the medtech company Stryker over a March 2026 cyberattack has been voluntarily dismissed by the plaintiffs, shortly after Stryker filed a motion to dismiss the lawsuit, alleging a lack of standing.

The Iranian hacktivist group Hamdala targeted Stryker in response to the military action in Iran by the United States and Israel. The hackers breached certain Stryker systems, stole around 50 terabytes of data, and permanently erased 12 petabytes of data on around 200,000 company devices. The attack caused considerable disruption, taking systems out of action for weeks.

Eight current and former Stryker employees took legal action against the company alleging that their personal information was compromised in the attack. The lawsuits started to be filed within hours of Stryker announcing the cyberattack, before Stryker had completed its investigation. While a significant amount of data was stolen in the attack, Stryker said its forensic investigation found no evidence to suggest that any of the plaintiffs’ data was compromised.

Stryker searched for the plaintiffs’ personally identifiable information (PII) in the compromised files and found the business email addresses of two of the plaintiffs, but no PII. None of the plaintiffs received a notification from Stryker informing them that their PII was involved, but despite that, the plaintiffs took legal action against the company seeking to represent a class of individuals whose PII was compromised. On June 22, 2026, Stryker filed a motion to dismiss the class action litigation.

In its motion to dismiss, Stryker said the employees started filing lawsuits 48 hours after the cyberattack was announced on March 11, 2026, and that they speculated that their names, Social Security numbers, unspecified financial account information, unspecified health insurance information, and unspecified driver’s license information were compromised in the incident. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, breach of confidence, and declaratory judgment.

Stryker said the plaintiffs vaguely alleged that they had been injured as a result of the incident; however, those injuries were theoretical. Six of the plaintiffs alleged that their PII had been misused, speculating that it was due to the cyberattack on Stryker, but they failed to allege sufficient detail to link the misuse of their data to the Stryker cyberattack. Stryker determined that their PII had been exposed in numerous prior data breaches, including their Social Security numbers. Two of the plaintiffs had their PII exposed in at least 20 prior data breaches.

Stryker maintains that the incident did not involve devices or systems connected to its customers, although the attack did impact its electronic ordering system and other related systems used by its clients. The cyberattack has been reported to the U.S. Securities and Exchange Commission (SEC); however, the company has not issued breach notifications to the HHS’ Office for Civil Rights or state attorneys general at the time of publication.

The eight class action lawsuits filed by employees were consolidated into a single action – In re Stryker Corporation Cyberattack Litigation – in the U.S. District Court for the Western District of Michigan, Southern Division. The plaintiffs opted to voluntarily dismiss the consolidated lawsuit on June 29, 2026. U.S. District Court Judge Hala Jarbou has signed an order dismissing the employees’ claims without prejudice. Should Stryker determine that the plaintiffs’ PII was compromised in the incident, the lawsuits can be refiled.

The post Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack appeared first on The HIPAA Journal.

Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation

A settlement has been agreed to resolve claims against Greater Rochester Independent Practice Association (GRIPA) arising from the May 2023 data breach involving Progress Software’s MOVEit file transfer solution.

In May 2023, the Russian-speaking hacking group CL0p mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Cl0p exploited the vulnerability to attack an estimated 2,700 companies that used the software, exfiltrated sensitive data, and then demanded payment to prevent the publication of the stolen data. Globally, almost 96 million individuals were affected. Cl0p proceeded to leak large amounts of data on the dark web when its ransom demands were not met.

In the United States, well over 100 class action lawsuits were filed against Progress Software and more than 100 client organizations over the attack and data breach. The plaintiffs alleged that the data breach could have been prevented by implementing industry-standard cybersecurity measures and protocols, such as software to detect suspicious activity, auditing the platform and Progress Software’s cybersecurity practices, and restricting the IP addresses that could access the platform and limiting the file types that could be uploaded.

The lawsuits had overlapping claims and were consolidated into a single multidistrict litigation, which was centralized in the U.S. District Court for the District of Massachusetts – In re: MOVEit Customer Data Security Breach Litigation. Progress Software made multiple bids to have the lawsuit dismissed, and in July 2025, the court largely denied the motions; however, it failed to dismiss the negligence claims under state law in California, Indiana, Michigan, and Ohio.

Several of the affected client organizations have already entered into settlements, including Bank of America, Nuance Communications, and Arietis Health. Now a settlement has been agreed to resolve claims against GRIPA related to the data breach, although the claims against Progress Software have not been resolved and will continue.

GRIPA faced four class action lawsuits over the data breach, the first of which was Clarke, et al. v. Progress Software Corp., et al, which were transferred to and coordinated with In re: MOVEit Customer Data Security Breach Litigation. GRIPA patients had their names, dates of birth, Social Security numbers, health & treatment information, health insurance information, pharmacy prescription information, and prescriber information compromised in the incident, and the publication of that data, according to the lawsuit, resulted in cognizable injuries. GRIPA faced claims for negligence, negligence per se, breach of third-party beneficiary contract, breach of implied contract, unjust enrichment, and declaratory and injunctive relief. GRIPA filed a motion to dismiss, which was denied in part and granted in part by the court on December 12, 2024.

GRIPA denies any wrongdoing and disagrees with the claims and contentions in the lawsuit. After considering the cost, expense, and length of proceedings, and the uncertainty of a trial and related appeals, the parties began settlement discussions. Mediation on June 10, 2025, was successful, with the material terms of a settlement agreed upon by all parties.

Under the terms of the settlement, GRIPA has agreed to establish a $2,150,000 settlement fund to pay claims made by the settlement class members. Claims will be paid after attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives have been deducted. Class members may submit a claim for reimbursement of up to $2,500 in ordinary losses, and up to $10,000 in extraordinary losses. Alternatively, if a claim for reimbursement of losses is not filed, class members may claim a one-time cash payment, estimated to be $100 per class member. The cash payments will be subject to a pro rata increase or decrease, depending on the number of valid claims received. In addition, all class members are entitled to file a claim for two years of complimentary credit monitoring and identity theft protection services.

The settlement has received preliminary approval from the court. The deadline for filing a claim is September 3, 2026. The final fairness hearing will be held on the same date. Individuals wishing to exclude themselves from the settlement or object to it must do so by August 4, 2026. Further information on the settlement can be found on the settlement website: https://www.moveitsettlementgripa.com/index.htm

The post Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation appeared first on The HIPAA Journal.

Serviceaide Pays $1.8 Million to Settle Data Breach Litigation

Serviceaide, Inc., a provider of AI-powered solutions to boost productivity and enhance service delivery, has agreed to pay $1.8 million to settle a lawsuit stemming from a 2024 data breach that exposed the protected health information of patients of its client, Catholic Health.

Catholic Health is a Buffalo, NY-based non-profit healthcare system serving patients in Western New York through its hospitals, nursing homes, home care agencies, and physician practices. Catholic Health contracted with Serviceaide, and the provision of the contracted services required access to patient data. On or around November 15, 2024, Serviceaide identified unauthorized access to its systems. The forensic investigation confirmed that an unauthorized third party had access to its network from September 19, 2024, to November 5, 2024.

Servieaide determined that a database containing the records of approximately 483,000 Catholic Health patients was potentially accessed or obtained. The database contained names, dates of birth, Social Security numbers, medical/health information, treatment information, health insurance information, and email/usernames and accompanying passwords. The affected individuals were notified about the data breach on May 9, 2025.

Eleven class action lawsuits were filed in response to the data breach, which were consolidated – Nancy Balzer, et al., v. Serviceaide, Inc. – in the Supreme Court of the State of New York, County of Nassau. The consolidated lawsuit alleges that the data breach should have been prevented and was the result of negligence on the part of the defendant. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, violations of California’s Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq., and declaratory judgment.

Serviceaide denies all wrongdoing, and disagrees with all claims and contentions in the lawsuit. The defendant filed a motion to dismiss, and the plaintiffs filed their opposition to the motion. To conserve resources for the benefit of the class members, the parties explored a potential settlement. As a result of hard-fought negotiations, the terms of a settlement were agreed, and the settlement has now been finalized.

Under the terms of the settlement, Serviceaide has agreed to establish a $1,800,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the 15 class representatives will be deducted. The remainder of the fund will be used to pay valid claims from the class members.

Class members may claim one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to fraud or identity theft as a result of the incident, and other losses up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a cash payment, estimated to be approximately $50 per claim. The cash payments will be paid pro rata after the claims for losses have been paid. The deadline for submitting a claim is September 1, 2026. The final fairness hearing has been scheduled for September 16, 2026. The deadline for objection and opting out is August 17, 2026.

The post Serviceaide Pays $1.8 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Allina Health System to Pay $12.5 Million to Settle Pixel Litigation

Allina Health System, a nonprofit health system based in Minneapolis, Minnesota, that serves patients in Minnesota and Western Wisconsin, has agreed to pay $12,500,000 to resolve litigation over its use of website tracking technologies such as pixels. Those tools were alleged to have resulted in the disclosure of personally identifiable information (PII) and protected health information (PHI) to third parties such as Facebook (Meta) and Google, in violation of federal and state laws.

Those tools are extensively used on websites for marketing and advertising purposes. The tools collect information about website usage, and that information can be used to improve web services. It can also be used to serve targeted advertisements to individuals, based on their interactions on a website. Depending on how they are configured, these tools can collect individually identifiable health information when installed on healthcare providers’ websites, and if they are used on authenticated pages such as a patient portal, that information may include HIPAA-protected data.

The first lawsuit over the use of these tracking tools was filed by Plaintiff Jacqueline Ahlers on September 16, 2024, in the U.S. District Court for the District of Minnesota. An amended complaint was filed on February 12, 2025, adding a further two plaintiffs who had filed similar complaints. The consolidated lawsuit – Ahlers, et al. v. Allina Health System – asserted claims for invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, negligence, and violations of the Electronic Communication Privacy Act, Minnesota Health Records Act, and Minnesota Unfair and Deceptive Trade Practices Act.

Allina Health System denies wrongdoing and liability; however, after considering the cost, distraction, burden, and risks associated with continuing with the litigation, Allina Health System agreed to a settlement.  Under the terms of the settlement, Allina Health System has agreed to pay $12,500,000 to resolve the complaint. From that amount, attorneys’ fees and expenses will be deducted, along with settlement administration and notification costs, and service awards for the class representatives.

The $12,500,000 will be split into two settlement funds: A Group 1 settlement fund of $10,303,098 and a Group 2 settlement fund of $2,196,902. The attorneys’ fees/expenses, settlement administration/notification costs, and service awards will be deducted from those settlement funds with an 82.42% (Group 1) and 17.58% (Group 2) split. The remaining funds will be paid pro rata to individuals submitting a claim.

The Group 1 settlement class consists of individuals who were patient portal users, non-portal bill pay users, and non-portal scheduling users between September 16, 2018, and May 11, 2026. The Group 2 settlement class consists of individuals who were non-portal, non-bill pay, and non-scheduling patients between September 16, 2018, and May 11, 2026.

The deadline for opting out of the settlement and objection to the settlement is August 10, 2026. Claims must be submitted by September 8, 2026, and the final approval hearing has been scheduled for September 24, 2026.

The post Allina Health System to Pay $12.5 Million to Settle Pixel Litigation appeared first on The HIPAA Journal.

Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Okanogan Behavioral Healthcare, a provider of holistic behavioral health services in Okanogan County, Washington, has agreed to settle a class action lawsuit stemming from a May 2024 data breach that affected 26,429 individuals.

A network intrusion was identified on May 15, 2024, and the forensic investigation determined that an unauthorized third party had access to its network from May 13, 2024, to May 15, 2024. Data exposed in the incident included client names, contact information, dates of birth, Social Security numbers, driver’s license numbers, other identification numbers, and medical information, including diagnosis and treatment information, and health insurance information. The affected individuals started to be notified on August 23, 2024.

A lawsuit was filed – Doe v. Okanogan Behavioral Healthcare – in the Superior Court of the State of Washington for the County of Okanogan in response to the data breach, alleging that the data breach was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures, and had they been implemented, the data breach could have been prevented. Okanogan Behavioral Healthcare denies wrongdoing and liability, and disagrees with all claims and contentions in the lawsuit; however, a settlement was agreed to avoid further litigation costs and the uncertainty of a trial and associated appeals.

Okanogan Behavioral Healthcare has agreed to cover attorneys’ fees and expenses, settlement notification and administration costs, and a service award for the class representative. Under the terms of the settlement, class members may submit a claim for reimbursement of losses due to the data breach and/or an alternative cash payment or credit monitoring services.

Claims may be submitted for reimbursement of documented, unreimbursed ordinary losses, up to a maximum of $300 per class member, and extraordinary losses up to a maximum of $5,000 per class member. A claim may also be submitted for an alternative cash payment, anticipated to be $50 per class member, or two years of credit monitoring services. The maximum claim is therefore $5,300 plus $50, or $5,300 plus credit monitoring services.

The deadline for objection to the settlement and exclusion is August 4, 2026. The deadline for submitting a claim is September 3, 2026, and the final approval hearing has been scheduled for September 3, 2026.

The post Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.

The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.

Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.

Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals.  Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.

The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.

The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.

The post Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Hillcrest Convalescent Center Settles Class Action Data Breach Litigation

Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.

Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.

The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.

During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.

Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.

The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.

Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit

A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI).

MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security numbers, driver’s license numbers, government-issued ID numbers, health information, and health insurance information. When the ransom was not paid, the LockBit group proceeded to leak the stolen data. The affected individuals were notified about the data breach in late May 2023.

A data breach of this scale was certain to trigger multiple class action lawsuits, the first of which was filed on June 5, 2023. In total, the defendants were named in 25 putative class action lawsuits. The lawsuits were materially and substantively identical, with overlapping claims, and on July 13, 2023, the lawsuits were consolidated into a single action – Crowe et al. v. Managed Care of North America Inc. d/b/a MCNA Dental, MCNA Insurance Company dba MCNA Dental, and Healthplex, Inc.  – in the United States District Court for the Southern District of Florida.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of state consumer protection act statutes, and declaratory and injunctive relief. A settlement failed to be agreed upon during court-appointed mediation, and the defendants sought to have the case dismissed. The lawsuit survived, and extensive discovery and litigation followed, along with a second failed attempt at mediation. After extensive subsequent settlement discussions, the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, with no admission of liability or wrongdoing by the defendants. The defendants have agreed to establish a multi-million-dollar settlement fund to pay benefits to the class members, attorneys’ fees (up to $6,400,000), attorneys’ expenses (up to $1,313,000), and settlement administration costs (up to $2,000,000). The total value of the settlement has not been made public.

Class members may submit a claim for reimbursement of documented losses due to the data breach up to a maximum of $2,500 per class member; however, these claims have been capped at a total of $250,000. Class members are eligible to claim two years of medical data monitoring services, which include a $1 million identity theft reimbursement policy. These services have a retail cost of $179.40 per year for each class member who enrolls. In addition to paying the costs and benefits, MCNA has agreed to take several steps to improve security and has updated its business practices to reduce the risk of similar breaches in the future.

While all parties have agreed to the terms of the settlement, it has yet to receive preliminary approval from the court. The dates for objection, exclusion, and submitting claims will be set when and if the court approves the settlement. Class members will start to be notified directly about the settlement within 30 days of the court’s preliminary approval order. The notifications will include information on how to submit a claim and a code to activate the medical data monitoring service.

The post Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit appeared first on The HIPAA Journal.

FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit

FMC Services LLC, the operator of a network of primary care clinics in Amarillo and Canyon, Texas, experienced a cyberattack and data breach in 2022. The class action lawsuit that followed has recently been settled for $2.15 million.

The cyberattack was detected on July 26, 2022, and the forensic investigation confirmed that files had been exposed containing names, addresses, dates of birth, Social Security numbers, and health information. The FMC Services data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. Notification letters were mailed to 266,540 individuals.

Four individuals filed class action lawsuits in response to the exposure of their personal and protected health information. The lawsuits made similar claims and were consolidated into a single action – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit claimed that FMC Services had a duty to maintain reasonable and appropriate cybersecurity measures and breached that duty, resulting in the cyberattack and data breach. The lawsuit asserted claims for negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment.

FMC Services denies any wrongdoing; however, it began discussing a potential settlement in mid-2024, but the terms of a settlement could not be agreed upon during mediation. Following extensive discovery and litigation, and after the plaintiffs defeated the defendant’s motion for summary judgment, a second attempt at mediation resulted in the material terms of a settlement being agreed upon.

The settlement has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, FMC Services will establish a $2,150,000 settlement fund to cover benefits to the settlement class members, attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. There is an alternative cash payment for class members who elect not to submit a reimbursement claim. The alternative cash payment is estimated to be $75 per class member, but it will depend on the number of valid claims.

All class members are also entitled to claim two years of medical data monitoring services, regardless of the cash payment they claim. The deadline for objection and exclusion is August 17, 2026, and claims must be submitted by August 31, 2026. The final fairness hearing has been scheduled for September 15, 2026.

The post FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit appeared first on The HIPAA Journal.