Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.

MedQ Inc., an administrative service provider serving the healthcare industry, has agreed to settle class action litigation over a December 2023 ransomware attack that affected 54,725 individuals.

A ransomware group accessed its network and deployed ransomware on or around December 26, 2023. The investigation confirmed unauthorized access to its network from December 20, 2023, and the exfiltration of data from its network. The stolen data included names, dates of birth, health information, health insurance information, Social Security numbers, and driver’s license numbers. Complimentary credit monitoring services were offered, but that was not sufficient to prevent several class action lawsuits.

Five lawsuits were filed in response to the data breach by plaintiffs Sharon Klepper, Shelby D. Franklin, Cheri Ramey, Jana Harrison, and Debra Everett, individually and on behalf of similarly situated individuals. The lawsuits had overlapping claims and were consolidated into a single action – Klepper, et al. v. MedQ, Inc. – in the District Court of Oklahoma County, Oklahoma, on May 13, 2024.

MedQ disagreed with all claims in the lawsuit and maintains there was no wrongdoing or liability. MedQ filed a motion to dismiss, and in the motion to dismiss briefing, all parties decided to explore early resolution of the action and scheduled mediation on December 20, 2024. Following a second attempt at mediation on April 25, 2025, the material terms of a settlement were agreed upon by all parties. The terms of the settlement have now been agreed and have received preliminary approval from the court.

The settlement provides class members with two years of three-bureau credit monitoring services, which include dark web monitoring, public records monitoring, medical identity monitoring, and identity theft insurance. In addition, class members may choose one of two cash benefits. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, plus a cash payment of up to $90 as compensation for lost time (up to 3 hours at $30 per hour) on tasks related to the data breach, such as changing passwords, investigating accounts, and researching the data breach.  Alternatively, class members may claim a one-time cash payment of $50.

The deadline for objection to and exclusion from the settlement is December 1, 2025. The deadline for submitting a claim is December 15, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post MedQ Agrees to Settlement to Resolve Ransomware Attack Lawsuit appeared first on The HIPAA Journal.

First Choice Dental, a network of 12 dental clinics in Dane and Madison counties in Wisconsin, experienced a ransomware attack on October 22, 2023. A settlement has recently been agreed to resolve litigation stemming from the data breach.

As reported by The HIPAA Journal in January 2024, First Choice Dental issued an interim notification about the incident, alerting patients to the exposure of some of their protected health information. At the time of issuing, the investigation into the cyberattack was ongoing. The HHS’ Office for Civil Rights was provided with an interim total of 1,000 affected individuals.

First Choice Dental explained that unauthorized network activity was first identified on October 22, 2023, but it had yet to be determined how many individuals had been affected or the types of data involved. On July 12, 2024, 9 months after the attack, individual notification letters started to be mailed. Patients were told that the compromised information included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/government ID numbers, credit/debit card numbers, and health information. The HHS’ Office for Civil Rights breach portal still lists the data breach as affecting 1,000 individuals, although the breach was far more extensive than the breach portal suggests, affecting more than 159,000 individuals.

The first class action lawsuit over the data breach was filed by plaintiff Kelly Gorder on July 17, 2024, in the Dane County Circuit Court of the State of Wisconsin against FCDG Management, LLC, d/b/a First Choice Dental. A further six lawsuits were subsequently filed in response to the data breach, which were consolidated in a single action in the same court – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.

According to the consolidated class action complaint, the data breach could have been prevented if First Choice Dental had implemented reasonable and appropriate safeguards and followed industry-standard data security practices. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, and violations of Wisconsin Statute § 146.82.

First Choice Dental denies the claims and contentions in the lawsuit and maintains there was no wrongdoing and no liability, and on January 6, 2025, sought to have the class action lawsuit dismissed in its entirety. That attempt was partially successful, with the court dismissing the claims of invasion of privacy and unjust enrichment, but the other claims were allowed to proceed. After considering the time and expense of litigation and the uncertainty of a trial and related appeals, all parties engaged in mediation on July 1, 2025, and the principal terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court.

The settlement class consists of 159,145 individuals who were notified about the data breach. Those individuals are entitled to claim a three-year membership to the CyEx Medical Shield Monitoring product, which includes a $1 million identity theft insurance policy. In addition, class members may claim one of two benefits. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach up to a maximum of $6,000 per class member. Alternatively, a one-time cash payment of $50 may be claimed.

Claims will be paid after settlement administration costs, attorneys’ fees and expenses, and service awards have been paid, along with $225,000 of security improvements. The total settlement costs, inclusive of the above, have been capped at $1,225,000. Claims will be prorated downward if that total is exceeded.

The deadline for submitting a claim is January 28, 2026, and the final fairness hearing has been scheduled for January 12, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 29, 2025. Further information can be found on the settlement website: https://www.fcdgdatasettlement.com/

The post First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

University of Tennessee Medical Center and Margaret Mary Community Hospital have both agreed to settle class action lawsuits over the use of tracking tools such as Meta Pixel on their websites.

University of Tennessee Medical Center

University of Tennessee Medical Center (UTMC) in Knoxville, Tennessee, has agreed to a settlement to resolve a class action lawsuit that alleged UTMC violated the Tennessee Consumer Protection Act by adding tracking technologies to its website, resulting in the unauthorized disclosure of patients’ personally identifiable health information to Meta, Google, and other third parties.

The lawsuit – Geoffrey Cavalier v. University Health Systems, Inc. d/b/a The University of Tennessee Medical Center – was filed in the Chancery Court for Knox County, Tennessee, and alleged that UTMC used tracking technologies such as Meta Pixel on its websites between January 1, 2015, and September 30, 2023. The plaintiffs allege that the tracking technologies collected and transmitted their personally identifiable information (PII) and protected health information (PHI) to third parties without their knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, breach of implied contract, unjust enrichment, and violations of the Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101, et seq., and Tenn. Code Ann. § 39-13-601. UTMC denies all claims in the lawsuit, maintains there was no wrongdoing, and contends that no tracking code was added to its patient portal and no protected health information was disclosed to any third party via the utmedicalcenter.org website. After considering the costs and risks associated with continuing with the litigation and a jury trial, UTMC agreed to settle the lawsuit. The plaintiffs believe that the settlement is fair, reasonable, and adequate, and settling is in the best interests of all class members.

All class members, individuals who had a patient portal account between January 1, 2015, and September 30, 2023, may submit a claim for a cash payment of $25.00. All individuals who submit a timely and valid claim for a cash payment will also be provided with a complimentary Privacy Shield Pro membership, which includes dark web monitoring, a VPN, data broker opt-out, and other privacy services. The deadline for submitting a claim is December 9, 2025, and the final fairness hearing has been scheduled for December 8, 2025.

Margaret Mary Community Hospital

Margaret Mary Community Hospital in Batesville, Indiana, has settled a class action lawsuit that alleged unlawful use of tracking technologies on its website. The lawsuit claims that Meta Pixel and other tracking tools were used on its website between 2020 and 2023 without users’ knowledge or permission. The lawsuit alleges that adding those tools to the website caused patients’ personally identifiable information to be transferred to Meta and others.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the Indiana Deceptive Consumer Sales Act. Margaret Mary Community Hospital disagrees with all claims and contentions in the lawsuit and maintains that there was no wrongdoing; however, a settlement was agreed to avoid the costs and risks associated with a trial and related appeals.

All class members, individuals who logged into the Margaret Mary Community Hospital patient portal between January 1, 2020, and December 31, 2023, may claim a cash payment of $25.00 and a complimentary membership to a Privacy Shield Pro product. Individuals wishing to opt out of or object to the settlement must do so by November 15, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits appeared first on The HIPAA Journal.

A settlement has been agreed to resolve a class action lawsuit against the Louisiana health system, Willis-Knighton Medical Center. The litigation stems from the use of tracking technologies on its public-facing website.

Several lawsuits were filed against Willis-Knighton Medical Center over the use of tracking tools on its website and patient portal, which are alleged to have caused unauthorized transmissions of personally identifiable, non-public information to third parties such as Google and Facebook. The lawsuits were consolidated in a single action – Jacqueline Horton, et al. v. Willis-Knighton Medical Center – which was heard in the 10th Judicial District Court for Natchitoches Parish in Louisiana.

Tracking technologies such as pixels are extensively used on the Internet, including by many healthcare providers. The problem is that these tools may collect sensitive data from website visitors, including information classed as protected health information under HIPAA. That information may be transmitted to third parties unauthorized to receive the information. One study found that more than 99% of hospitals had added these tools to their websites.

Willis-Knighton Medical Center denies the allegation and specifically denies that any medical information from its website or patient portal was shared with Facebook or Google; however, to avoid the cost and distraction of continuing with the litigation, and the uncertain outcome of a trial, the decision was taken to settle the litigation.

Under the terms of the settlement, class members are entitled to one year of CyEx Privacy Shield Pro, a privacy protection product, and may also claim a cash payment. The cash payments differ depending on the subclass. Individuals who used the “request an appointment” feature may claim a cash payment of $25, members of the InteliChart settlement class may claim a cash payment of $38, and members of the Medtech settlement class may claim a cash payment of $15.

Willis-Knighton Medical Center has also agreed not to use 16 specified digital analytics tools on its website and patient portal for a period of two years from the date of final approval of the settlement. The list includes Google DoubleClick, Google Ads, Meta, Amazon, TikTok, Pinterest, and TheTradeDesk.

The deadline for objection to and exclusion from the settlement is November 18, 2025. Claims must be submitted by December 18, 2025, and the final approval hearing has been scheduled for January 22, 2026.

The post Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook).

The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals.

Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley Hospital Medical Center has agreed to establish a $600,000 settlement fund to cover attorneys’ fees, administrative expenses, service awards, and benefits to the class members.

After all fees and expenses have been deducted from the settlement fund, the remainder will be paid to class members as a pro rata cash payment. Class members are California residents who visited the Pomona Valley Hospital Medical Center website and logged into the patient portal between January 1, 2019, and December 31, 2022.

The deadline for objection to and exclusion from the settlement is December 9, 2025, and the final fairness hearing has been scheduled for January 5, 2026. Class members will be contacted directly about the settlement and may choose how they receive their cash payment (check, PayPal, Venmo, etc.), or may do so via the settlement website: https://pvhmcsettlement.com/

The post Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit appeared first on The HIPAA Journal.

Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.

Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.

A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.

The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.

The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.

The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.

The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations appeared first on The HIPAA Journal.