Two healthcare providers have agreed to settle class action lawsuits over their use of website tracking technologies. Website tracking technologies, such as pixels, can collect and transmit data about website users, which can include personally identifiable information and protected health information if installed on a healthcare provider’s website or patient portal. These tools have been found on the websites of many hospitals, and many lawsuits have been filed by individuals for privacy violations. Two such lawsuits against Legacy Health and Garnet Health have recently been settled, with no admission of liability, fault, or wrongdoing by the healthcare providers.

Legacy Health

Legacy Health, a nonprofit health system with seven hospitals and more than 90 clinics in Oregon and Vancouver, Washington, was sued over the alleged use of third-party tracking tools on its websites without the knowledge or consent of website users. According to the lawsuit, the tools transmitted patients’ personally identifiable information to third parties such as Meta Platforms Inc. (Facebook) and Alphabet Inc. (Google).

The lawsuit – Katherine Layman v. Legacy Health – asserted claims of negligence, breach of confidence, invasion of privacy, breach of implied contract, unjust enrichment, and violation of the Electronic Communications Privacy Act. All parties agreed to settle the litigation to avoid the cost and time associated with continuing with the litigation, and the uncertainty of trial.

Under the terms of the settlement, Legacy Health has agreed to pay up to $2,200,000 to cover attorneys’ fees and expenses, settlement administration costs, and an incentive award of $2,500 to the class representative. Class members are entitled to a one-year membership to CyEx’s Medical Shield privacy protection solution, and may submit a claim for a cash payment of $15.00. Individuals wishing to object to the settlement or exclude themselves must do so by March 16, 2026. Claims for cash payments must be submitted by March 16, 2026, and the final approval hearing has been scheduled for April 16, 2026.

Garnet Health

Garnet Health, a Middletown, New York-based three-campus health system with nine urgent care facilities serving residents of Orange and Sullivan Counties in New York, was alleged to have added tracking tools to its website and MyChart patient portal, which resulted in disclosures of individuals’ personally identifiable information and protected health information to Meta Platforms Inc. (Facebook) and Google Inc. without users’ knowledge or consent. Information allegedly disclosed included health conditions, searches for medical treatment, and other sensitive information.

Lawsuits were filed by Dolores Gay and Corinne Jacob over the alleged disclosures, which were consolidated as they had overlapping claims – Gay et al. v. Garnet Health. After a year of hard-fought litigation, all parties attended mediation and agreed to a settlement to resolve the lawsuit. Under the settlement, Garnet Health has agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. All class members are eligible to enroll in Dashlane Premium, a privacy protection product, for 12 months. In addition, class members may claim a one-time cash payment of $19.50. Individuals wishing to object to the settlement or exclude themselves must do so by March 17, 2026. Claims for cash payments must be submitted by April 16, 2026, and the final approval hearing has been scheduled for April 13, 2026.

The post Legacy Health & Garnet Health Settle Class Action Lawsuits Over Website Tracking Tools appeared first on The HIPAA Journal.

Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.

On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.

Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.

All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.

Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.

Northwell Health & Northbay Healthcare were sued over the use of tracking tools on their websites, which are alleged to have illegally disclosed sensitive data to unauthorized third parties. Both healthcare providers have agreed to settle the lawsuits.

Northwell Health Data Breach Settlement

Northwell Health has agreed to settle litigation over its use of tracking software on its website. According to the lawsuit, tracking tools such as Meta Pixel and Google Analytics code were added to its website and were configured in a manner that resulted in protected health information being transmitted to third parties, without the consent of website visitors.

The lawsuit – Kaplan v. Northwell Health, Inc. – was filed in the New York State Supreme Court, Kings County, and alleged that information about website users’ past, present, or future health conditions, including the type and date of a medical appointment, was collected and transmitted to third parties. That information could be tied to individuals via identifiers such as the their Facebook ID and IP address. The information disclosed could allow third parties to infer that the individual was seeking treatment for a specific medical condition and was a patient of Northwell Health. The lawsuit alleges that the use of tracking tools on the website without obtaining consent violated the Electronic Communications Privacy Act.

Northwell Health disagrees with the claims and contentions in the lawsuit and sought to have the lawsuit dismissed. Northwell Health believes it would have prevailed on its motion to dismiss; however, before the motion to dismiss was argued, all parties engaged in settlement discussions. After considering the likely cost of continuing with the litigation and the risks associated with doing so, the decision was taken to settle the lawsuit.

There are two subclasses, the first of which consists of individuals who logged into the FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, and any patient who booked an appointment via the website between the same dates. Those individuals may claim a cash payment of $15.00. The second subclass consists of all other Northwell Health patients between January 1, 2020, and July 25, 2024, who are not included in the first subclass. Individuals in both subclasses are entitled to a 12-month subscription to a privacy monitoring service. Claims must be submitted by April 20, 2026. The final fairness hearing has been scheduled for April 21, 2026. Individuals wishing to opt out of the settlement or object, must do so by March 23, 2026.

Northbay Healthcare Data Breach Settlement

Northbay Healthcare, the operator of two hospitals in Fairfield and Vacaville, California, and several care centers in Solano County, settled litigation over its use of website tracking tools, which are alleged to have impermissibly disclosed patient data to Meta Platforms, Google, and others.

The lawsuit – J.A., T.A., and N.C. v. NorthBay Healthcare Corporation – was filed in the Superior Court of Solano County, California, and alleged that the inclusion of the tools on its website, without informing patients and obtaining consent, resulted in an invasion of privacy and other common law and statutory violations. NorthBay Healthcare denies all allegations of wrongdoing and liability, and all material allegations in the class action complaint. After considering the likely costs of protracted litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation.

Under the terms of the settlement, individuals who were California residents between November 29, 2020, and May 14, 2024, and visited a Northbay Healthcare website or used the patient portal between those dates may submit a claim for a cash payment of $15.00. Class members may also claim a 12-month subscription to the CyEx Privacy Shield Pro privacy protection service. The deadline for opting out, objecting, and submitting a claim is March 12, 2026. The final fairness hearing has been scheduled for March 19, 2026.

The post Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use appeared first on The HIPAA Journal.

The mobility equipment provider United Seating and Mobility, doing business as Numotion, has agreed to settle class action litigation stemming from two data security incidents in 2024 that involved unauthorized access to the protected health information of hundreds of thousands of its customers.

The first incident was detected by Numotion on March 2, 2024. The forensic investigation confirmed that an unauthorized third party gained access to its systems, which, according to the lawsuit, contained the personal and protected health information of 685,264* current and former customers and employees. The ransomware group had access to its network between February 29, 2024, and March 2, 2024, and potentially obtained names, dates of birth, equipment order details, supporting medical documentation, medical insurance information, and, for certain individuals, Social Security numbers.

The second data security incident was a phishing incident, discovered on September 29, 2024, involving unauthorized access to email accounts. The data review confirmed that the personal and protected health information of 494,326 individuals* was present in the compromised accounts, including names, dates of birth, product information, payment and financial account information, health insurance information, medical information, and limited Social Security numbers.

Multiple class action lawsuits were filed in response to each data breach, which were consolidated into two separate actions. In March 2025, the parties in each of the two consolidated actions explored the early resolution of both lawsuits in a single settlement. Following a full day of mediation and arms-length negotiations, the material terms of a settlement were agreed upon, and over the following weeks, a settlement was finalized with no admission of liability or wrongdoing by the defendant. That settlement has now received preliminary approval from the court.

Under the terms of the settlement, Numotion has agreed to establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses (up to $1,333,333.33), settlement administration costs, service awards for the class representatives, and benefits for the class members. There are two possible cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $15,000 per class member, plus a pro rata cash payment. The cash payments will be paid pro rata if the costs and other benefits do not exhaust the settlement fund.

All class members will receive two years of complimentary credit monitoring services without submitting a claim, and the subclass of individuals who had their Social Security numbers exposed may submit a claim for two years of medical monitoring services. The deadline for opting out of and objection to the settlement is March 3, 2026, and claims must be submitted by March 18, 2026. The final approval hearing was scheduled for April 2, 2026.

*The HHS’ Office for Civil Rights was informed that the first incident involved the protected health information of up to 602,265 individuals, and the second data breach involved the protected health information of up to 529,004 individuals.

The post Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches appeared first on The HIPAA Journal.

Epic Systems, the market-leading electronic medical record system provider, has filed a lawsuit against the health information network Health Gorilla and several of its clients, alleging improper access to the records of 300,000 patients.

The lawsuit, which also names OCHIN Inc, Reid Hospital & Health Care Services Inc. (Reid Health), Trinity Health Corporation, and UMass Memorial Health Care Inc., as plaintiffs, alleges bad actors have fraudulently obtained access to patient data and are abusing access for financial gain. The lawsuit seeks to put an end to the exploitation of health information exchange frameworks for obtaining and monetizing patient data.

The lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework.

Two national frameworks – Carequality and TEFCA – are responsible for almost one billion patient-record exchanges each month. Any provider that participates in either framework makes patient data available to other participants. As a condition of participation, they agree to comply with federal laws such as HIPAA and state regulations regarding uses and disclosures of patient data.

The defendant Health Gorilla and similar implementers of the frameworks control who can enter the frameworks, and in so doing, who can gain unfettered access to patient data. As such, the plaintiffs state that there is an important obligation to ensure that prior to joining the framework, the entity requesting access requires that access for the legitimate purpose of providing treatment to patients. The lawsuit alleges that some participants are masquerading as healthcare providers who provide treatment to patients but seek access to monetize patient records.

Once authorized to participate in the framework, access to real-time patient data is obtained, only requiring basic demographic information such as a patient’s name and address to view that individual’s records. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain. For instance, to obtain patient data to market to lawyers to help them find patients with specific conditions and diagnoses to join mass tort class action lawsuits.

The plaintiffs claim that bad actors take many actions to conceal the true purpose for access, such as maintaining fictitious websites, creating shell entities, and using sham National Provider Identification numbers in the National Plan and Provider Enumeration System to create an illusion of legitimate patient treatment activity. In some cases, the lawsuit claims they have injected clinically useless documents into the frameworks to give a false impression that they are treating patients, potentially putting patient safety at risk or, at the very least, wasting clinicians’ time.

Epic alleged that RavillaMed, a chronic condition management firm, has shared far fewer records with other providers than it retrieved, and the data the firm shared with Epic showed no evidence of any treatment of patients by a clinician, indicating records were accessed for purposes other than treatment. Epic claims that the added information incorporated previous diagnoses that are frequently involved in litigation, and other returned documents lacked any clinical value and are “clinical camouflage.” Epic alleges that RavillaMed and other Health Gorilla clients named in the lawsuit “operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”

Health Gorilla vehemently denies the allegations and claims that it vets participants to ensure that they are seeking access to patient records for treatment purposes and maintains that Epic is engaging in information blocking. Epic Systems is currently facing an antitrust lawsuit, brought by Particple Health, that alleges it is using its market dominance to illegally block access to health records, and more recently, Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging unfair, deceptive, and anticompetitive business practices, including restricting parental access to children’s medical records, undermining health technology competition in the state.

Epic claims that when companies are discovered to have become participants in the health information exchange under false pretenses, they simply create new companies to continue their activities. For instance, when concerns were raised about Critical Care Nurse Consulting’s access to patient records over its affiliation with law firms, it ceased accessing patient records through Carequality, then a related organization, SelfRx, that had previously been onboarded by Health Gorilla, started taking large volumes of patient records.

According to the lawsuit, when Integritort, a former Particle Health client, was banned from Carequality in October 2024, the former CEO of the company co-founded Mammoth, which started accessing patient records through Health Gorilla, and as was the case with RavillaMed, returned documents with no clinical value.

The lawsuit claims that bad actors rely on technology implementers such as Health Gorilla, conducting little to no vetting of participants to gain access to patient data for financial gain, and that the company is knowingly enabling the abuse of patient data. Health Gorilla and the named clients deny all of Epic’s allegations, and Health Gorilla alleges that Epic is attempting to limit the exchange of health information.

“These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic,” explained a spokesperson for Health Gorilla. “Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data.”

Epic claims that if healthcare providers participating in interoperability frameworks cannot trust a request for patient records is made for the purpose of treatment, they may feel compelled to leave the framework, while other healthcare providers that have yet to join may be dissuaded from doing so.

“Bad actors like [the] Defendants have falsely framed Epic and providers’ efforts to safeguard patients’ private medical information as information blocking that is harmful to patients and as unlawful obstruction,” countered Epic. “This intimidation campaign is designed to chill scrutiny and preserve the unscrupulous actors’ access to patient records so they can monetize them, including by selling them to mass tort law firms.”

The lawsuit alleges fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act and seeks to put an end to the exploitation of interoperability frameworks. In addition to Health Gorilla, the lawsuit names RavillaMedPLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi TechLLC (Mammoth Dx); MammothPath Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; MaxToovey; Unit 387 LLC; SelfRx, LLC (Myself.Health); Critical CareNurse Consultants, LLC (GuardDog Telehealth); Hoppr, LLC; Meredith Manak, and DOES 1-100 as defendants.

The post Epic Sues Health Information Exchange Network Alleging Improper Record Access appeared first on The HIPAA Journal.

PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.

PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.

Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.

For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.

Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.

The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.

The post PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A settlement has been approved to resolve class action data breach litigation against Consulting Radiologists Ltd., a physician-owned radiology practice that provides medical imaging services at more than 100 healthcare facilities in Minnesota and the surrounding areas.

The Consulting Radiologists data breach was reported to the HHS’ Office for Civil Rights on June 14, 2024, as involving the protected health information of up to 583,824 individuals. A network intrusion was identified on February 12, 2024, and the investigation confirmed that the network was accessed by an unauthorized third party who may have obtained patient data such as names, addresses, dates of birth, medical information, health insurance information, along with the Social Security numbers of 19,346 individuals.

The data breach was announced in April 2024, and notification letters were sent to the affected individuals. Shortly thereafter, a class action lawsuit was filed in response to the data breach, followed by a further 18 complaints. In August 2024, District Court Judge Thomas Conley issued an order to consolidate all complaints against Consulting Radiologists. The consolidated lawsuit – In re Consulting Radiologists Data Incident Litigation – was filed in the District Court of the 4th Judicial District Court of Hennepin County, Minnesota, on November 1, 2024.

The lawsuit claimed the data breach was the result of negligence and could have been prevented had reasonable and appropriate cybersecurity measures been implemented and maintained. The lawsuit alleged that Consulting Radiologists had violated the HIPAA Rules, including the HIPAA Security Rule, by failing to properly secure patient data and the HIPAA Breach Notification Rule due to the delay in issuing notifications to the affected individuals.

The lawsuit asserted claims of negligence, negligence per se, breach of contract, breach of implied contract, breach of third-party contract, breach of implied covenant of good faith and fair dealing, breach of fiduciary duty, breach of confidence, invasion of privacy/intrusion upon seclusion, unjust enrichment, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act.

Consulting Radiologists sought to have the lawsuit dismissed, and that attempt was partially successful; however, the court failed to dismiss the claims of negligence, negligence per se, unjust enrichment, injunctive/declaratory relief, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act. Following mediation and ongoing negotiations, a settlement was agreed to bring the litigation to an end, with no admission of liability or wrongdoing. Consulting Radiologists has agreed to pay $2,200,000 in aggregate to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 19 class representatives, and benefits to the class members.

Class members may claim up to three benefits under the settlement: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Two years of single-bureau credit monitoring services may be claimed, and class members may also claim a cash payment. The cash payments depend on the types of data compromised in the incident, and are expected to be $125 for individuals whose Social Security numbers were involved, and $50 for all other class members. The cash payments are subject to a pro rata reduction to remain under the cap of $2,200,000.

The deadline for objection to and exclusion from the settlement is January 30, 2026. The deadline for submitting a claim is March 2, 2026, and the final fairness hearing has been scheduled for February 25, 2026. Further information can be found on the settlement website: https://www.crdatasettlement.com/

The post Consulting Radiologists Pays $2.2M to Settle Class Action Data Breach Litigation appeared first on The HIPAA Journal.