Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.

The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.

Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.

Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals.  Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.

The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.

The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.

The post Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.

Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.

The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.

During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.

Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.

The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.

A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI).

MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security numbers, driver’s license numbers, government-issued ID numbers, health information, and health insurance information. When the ransom was not paid, the LockBit group proceeded to leak the stolen data. The affected individuals were notified about the data breach in late May 2023.

A data breach of this scale was certain to trigger multiple class action lawsuits, the first of which was filed on June 5, 2023. In total, the defendants were named in 25 putative class action lawsuits. The lawsuits were materially and substantively identical, with overlapping claims, and on July 13, 2023, the lawsuits were consolidated into a single action – Crowe et al. v. Managed Care of North America Inc. d/b/a MCNA Dental, MCNA Insurance Company dba MCNA Dental, and Healthplex, Inc.  – in the United States District Court for the Southern District of Florida.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of state consumer protection act statutes, and declaratory and injunctive relief. A settlement failed to be agreed upon during court-appointed mediation, and the defendants sought to have the case dismissed. The lawsuit survived, and extensive discovery and litigation followed, along with a second failed attempt at mediation. After extensive subsequent settlement discussions, the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, with no admission of liability or wrongdoing by the defendants. The defendants have agreed to establish a multi-million-dollar settlement fund to pay benefits to the class members, attorneys’ fees (up to $6,400,000), attorneys’ expenses (up to $1,313,000), and settlement administration costs (up to $2,000,000). The total value of the settlement has not been made public.

Class members may submit a claim for reimbursement of documented losses due to the data breach up to a maximum of $2,500 per class member; however, these claims have been capped at a total of $250,000. Class members are eligible to claim two years of medical data monitoring services, which include a $1 million identity theft reimbursement policy. These services have a retail cost of $179.40 per year for each class member who enrolls. In addition to paying the costs and benefits, MCNA has agreed to take several steps to improve security and has updated its business practices to reduce the risk of similar breaches in the future.

While all parties have agreed to the terms of the settlement, it has yet to receive preliminary approval from the court. The dates for objection, exclusion, and submitting claims will be set when and if the court approves the settlement. Class members will start to be notified directly about the settlement within 30 days of the court’s preliminary approval order. The notifications will include information on how to submit a claim and a code to activate the medical data monitoring service.

The post Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit appeared first on The HIPAA Journal.

FMC Services LLC, the operator of a network of primary care clinics in Amarillo and Canyon, Texas, experienced a cyberattack and data breach in 2022. The class action lawsuit that followed has recently been settled for $2.15 million.

The cyberattack was detected on July 26, 2022, and the forensic investigation confirmed that files had been exposed containing names, addresses, dates of birth, Social Security numbers, and health information. The FMC Services data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. Notification letters were mailed to 266,540 individuals.

Four individuals filed class action lawsuits in response to the exposure of their personal and protected health information. The lawsuits made similar claims and were consolidated into a single action – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit claimed that FMC Services had a duty to maintain reasonable and appropriate cybersecurity measures and breached that duty, resulting in the cyberattack and data breach. The lawsuit asserted claims for negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment.

FMC Services denies any wrongdoing; however, it began discussing a potential settlement in mid-2024, but the terms of a settlement could not be agreed upon during mediation. Following extensive discovery and litigation, and after the plaintiffs defeated the defendant’s motion for summary judgment, a second attempt at mediation resulted in the material terms of a settlement being agreed upon.

The settlement has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, FMC Services will establish a $2,150,000 settlement fund to cover benefits to the settlement class members, attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. There is an alternative cash payment for class members who elect not to submit a reimbursement claim. The alternative cash payment is estimated to be $75 per class member, but it will depend on the number of valid claims.

All class members are also entitled to claim two years of medical data monitoring services, regardless of the cash payment they claim. The deadline for objection and exclusion is August 17, 2026, and claims must be submitted by August 31, 2026. The final fairness hearing has been scheduled for September 15, 2026.

The post FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit appeared first on The HIPAA Journal.

A $35,000,000 settlement has been agreed to resolve a long-running class action lawsuit against Labcorp over a 2018 cybersecurity incident at American Medical Collection Agency. Laboratory Corporation of America Holdings (Labcorp), a provider of diagnostic testing services, had contracted with a company called Retrieval-Masters Creditor’s Bureau, Inc., which does business as American Medical Collection Agency (AMCA), to collect outstanding payments for Labcorp’s services.

On May 14, 2019, AMCA notified Labcorp about a cybersecurity incident that resulted in unauthorized access to Labcorp patients’ protected health information. Hackers had access to AMCA’s systems between August 2018 and March 2019, and potentially viewed or obtained some of their protected health information. The data breach affected multiple AMCA clients and resulted in the exposure of the protected health information of more than 25 million individuals, including the data of 10,251,784 Labcorp patients.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single action – In Re: American Medical Collection Agency, Inc. Customer Data Security Breach Litigation – In the U.S. District Court for the District of New Jersey. The lawsuit asserted several claims, including negligence and breach of contract, all of which were denied by Labcorp, which maintains that there was no wrongdoing and that any alleged injury or damage was not caused by the security incident or any act or omission by Labcorp.

After six years of hard-fought litigation, all parties agreed to a settlement, in recognition that the outcome and final result through a trial and related appeals would involve substantial additional risk and uncertainty, discovery, and extensive time and expense. The $35,000,000 settlement resolves the Labcorp track of the litigation, with the settlement class consisting of all individuals whose information was transmitted by Labcorp to AMCA and was contained in AMCA’s systems at the time of the data breach. The settlement fund will be used to pay attorneys’ fees and expenses, notice and administration costs, and service awards for the 21 class representatives. The remainder of the settlement fund will be used to pay claims for reimbursement of losses, claims for alternative cash payments, and the cost of medical and healthcare information monitoring services.

All class members are eligible to claim a two-year membership to the CyEx Medical Shield Pro medical and healthcare information monitoring service. A claim may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Class members not wishing to submit such a claim may instead claim an alternative cash payment. The cash payments are estimated to be $50 per class member, but may be increased or decreased depending on the number of claims filed.

Individuals who do nothing will lose the opportunity to sue Labcorp over the data breach in the future. Benefits will only be paid to individuals who submit a claim.  The deadline for objection to the settlement and exclusion is July 27, 2026. The deadline for submitting a claim is September 3, 2026, and the final fairness hearing has been scheduled for September 3, 2026. Further information can be found on the settlement website: https://www.amcadatabreachsettlement83395.com/

The post Labcorp Agrees to $35M Settlement to Resolve AMCA Data Breach Litigation appeared first on The HIPAA Journal.

Two more healthcare providers have settled lawsuits over their use of website tracking technologies: Duke University Health System and Derick Dermatology.

Duke University Health System Pixel Settlement

A lawsuit filed against North Carolina’s Duke University Health System over the use of tracking tools on its website has been settled. Like many healthcare providers, Duke University Health System had added tracking tools such as pixels to its website. These tools collect information about website users, which can be used to improve web services. These tools can also transmit the collected information to third parties, and when placed on healthcare websites, that information may include health information, depending on a user’s interactions on the website.

A lawsuit was filed against Meta Platforms, Duke University Health System, WakeMed, and a defendant class of Facebook partner medical providers by plaintiffs Kim Naugle and Afrika Williams over the use of these tools. The claims against Meta Platforms were transferred to a separate class action lawsuit in California – In re Meta Pixel Healthcare Litigation – and the claims against WakeMed were consolidated into an existing state court case against the company. After voluntarily dismissing the lawsuit, plaintiff Afrika Williams filed a new lawsuit against Duke University Health System – Afrika Williams v. Duke University Health System, Inc. – in the U.S. District Court for the Middle District of North Carolina.

The lawsuit alleged that tracking tools had been added to its website by Duke University Health System without users’ knowledge or consent and resulted in personally identifiable information being transmitted to third parties, such as Meta. The lawsuit survived a motion to dismiss, and the claims against a defendant class of medical providers were dropped, along with several claims against Duke University Health System. The lawsuit proceeded against Duke University Health System for breach of contract and negligence.

Duke University Health System denies any wrongdoing, fault, and liability; however, following mediation, Duke University Health System agreed to a settlement. Duke University Health System will establish a $3,743,600 settlement fund to cover attorneys’ fees ($1,235,388) and expenses (up to $30,000), notification and settlement costs, and a $7,500 service award for the class representative. The remainder of the settlement fund will be used to pay pro rata cash payments to class members who submit a claim.

The deadline for objection and exclusion is July 20, 2026. The deadline for submitting a claim is August 16, 2026, and the final fairness hearing has been scheduled for August 27, 2026.

Derick Dermatology Pixel Settlement

Derick Dermatology, a dermatology practice with locations in Chicago, IL, and Tampa Bay, FL, has agreed to settle class action litigation over its use of pixels, cookies, code, and/or tracking or analytics, which are alleged to have disclosed website users’ personal information to third parties without their knowledge or consent.

The lawsuit – Jeffries v. Derick Dermatology PLLC – was filed in the Seventeenth Judicial Circuit in and for Broward County, Florida, and alleged that the use of these tools violated the Federal Wiretap Act, and that the actions of the defendant constituted a breach of fiduciary duty/confidentiality, invasion of privacy, breach of implied contract, unjust enrichment, and negligence. The defendant denied and continues to deny any wrongdoing, and that they committed, or threatened or attempted to commit, any wrongful act or violation of law or duty alleged in the action.

After considering the likely costs, distraction, disruption to business operations, and risks associated with any litigation, the defendant agreed to settle the lawsuit. Derik Dermatology has agreed to pay up to $1,000,000 to settle the lawsuit. From that amount, attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the class representative will be deducted.

Class members are entitled to claim a one-year subscription to a privacy shield product, and may submit a claim for a one-time cash payment, which is expected to be up to $12.50 per class member. The deadline for objection and exclusion is June 22, 2026. The deadline for submitting a claim is July 21, 2026, and the final fairness hearing has been scheduled for August 17, 2026.

The post Duke University Health System; Derick Dermatology Settle Class Action Pixel Lawsuits appeared first on The HIPAA Journal.

Henderson & Walton Women’s Center, a Birmingham, AL-based provider of women’s healthcare services, has agreed to settle a class action lawsuit stemming from a 2022 data breach that exposed the personal and protected health information of 34,306 individuals. The forensic investigation confirmed that an unauthorized third party had access to an employee’s email account between February 11, 2022, and February 14, 2022, and potentially obtained information such as names, dates of birth, driver’s license or state ID numbers, and medical and treatment information.

Plaintiff Kim Townsel filed a lawsuit – Townsel v. Henderson & Walton Women’s Center, P.C. – against Henderson & Walton Women’s Center in the Circuit Court for Jefferson County, Alabama, over the data breach, alleging a failure to properly secure and safeguard the sensitive and confidential information of patients through the use of encryption and other cybersecurity measures. The lawsuit alleged that the failure amounted to negligence. In addition to the negligence and negligence per se claims, the lawsuit asserted claims for breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Henderson & Walton Women’s Center maintains that there was no wrongdoing and disagrees with the claims made in the lawsuit; however, it agreed to a settlement to avoid the costs, distractions, and disruptions to its business from continuing with the litigation. The plaintiff and class counsel believe the settlement is fair, and the settlement has received preliminary approval from the court.

Under the terms of the settlement, class members are entitled to claim compensation for ordinary losses incurred as a result of the data breach up to a maximum of $150 per class member, plus compensation for extraordinary losses up to a maximum of $2,500 per class member. Individuals who lost time dealing with the data breach may claim reimbursement of up to three hours of lost time at $30 per hour. Class members are also entitled to enroll in three years of medical and credit monitoring services.

The deadline for objection and comments on the settlement is June 29, 2026. Individuals wishing to exclude themselves must do so by July 13, 2026. The final fairness hearing has been scheduled for August 12, 2026.

The post Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A breach of the email account of an employee of Onsite Women’s Health that exposed the protected health information of 357,265 individuals has resulted in a $2,525,000 settlement. Onsite Mammography, LLC, which does business as Onsite Women’s Health, a Westfield, Massachusetts-based provider of medical imaging services to hospitals, identified unauthorized access to an employee’s email account in October 2024.

The email account was compromised as a result of a response to a phishing email, and while the account was only accessible for a short period of time, sensitive data was exfiltrated, including names, dates of birth, Social Security numbers, driver’s license numbers, credit card numbers, and information related to patients’ mental or physical conditions, and any care they received.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Clarkson, et al. v. Onsite Mammography, LLC, d/b/a Onsite Women’s Health – in the United States District Court District of Massachusetts.  The consolidated lawsuit alleged that inadequate security measures had been implemented to prevent attacks on employee email accounts, and if those measures had been implemented, the data breach could have been prevented or at least the attack could have been detected more quickly, limiting the harm caused.

While the affected individuals were offered 12 months of complimentary credit monitoring services, the plaintiffs argue that the offer was insufficient considering the level of risk they face. They also claim that the defendant provided no reassurances that the stolen data had been deleted or that security had been sufficiently strengthened to prevent similar incidents in the future.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and declaratory judgment. The defendant maintains there was no wrongdoing and disagrees with the claims and contentions asserted by the plaintiffs. Despite disagreeing with the claims, after considering the likely costs and risks associated with continuing with the litigation, Onsite Women’s Health agreed to settle the lawsuit.

Under the terms of the settlement, Onsite Women’s Health will establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the eight class representatives. The remainder of the settlement fund will be used to cover benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses incurred as a result of the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for three years of credit and medical data monitoring and insurance services. Class members may also claim a pro rata cash payment, which will be paid after all costs and claims have been paid and will exhaust the settlement fund. The deadline for objection and exclusion is July 13, 2026. Claims must be submitted by August 11, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Onsite Women’s Health $2.5M Data Breach Settlement appeared first on The HIPAA Journal.

Mt. Baker Imaging and Northwest Radiologists have agreed to pay $3,300,000 to settle a consolidated class action lawsuit stemming from a January 2025 ransomware attack and data breach affecting hundreds of thousands of patients.

Mt. Baker Imaging is a Washington-based medical imaging provider that uses Northwest Radiologists for interpreting medical images. In January 2025, a cyberattack was identified, and the forensic investigation determined that an unauthorized third party accessed its network between January 20, 2025, and January 25, 2025, and obtained files containing names, contact information, dates of birth, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, and health insurance information. The data breach was reported to the Washington Attorney General as affecting 348,118 state residents, and the HHS’ Office for Civil Rights was informed that the protected health information of up to 362,713 individuals was compromised in the incident.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated in a single complaint – In re: Mt. Baker Imaging, LLC, Data Security Litigation – in the Superior Court of the State of Washington for Whatcom County. The lawsuit alleged that the defendants failed to implement and maintain necessary data security safeguards, and asserted claims for negligence, breach of implied contract, invasion of privacy-intrusion upon seclusion, unjust enrichment, and violations of the Uniform Health Care Information Act, Washington Consumer Protection Act, Washington Data Breach Notification Disclosure Law, and Washington My Health My Data Act.

The defendants and the plaintiffs disagree about the legal claims made in the litigation; however, all parties agreed that a settlement was the best outcome, due to the benefits provided to the class members and the avoidance of the costs, risks, and uncertainty of continuing with the litigation. The defendants have agreed to establish a $3,300,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the nine class representatives. The remainder of the settlement fund will be used to pay benefits to approximately 340,184 class members.

All class members are entitled to claim a two-year membership to a medical identity theft protection and monitoring service, and may submit claims for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and claim a pro rata cash payment. The pro rata cash payments will distribute the net amount of the settlement fund after costs, expenses, claims, and medical identity theft protection and monitoring costs have been paid.

The deadline for objection and exclusion is July 20, 2026, and claims must be submitted by August 19, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 21, 2026.

The post $3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists appeared first on The HIPAA Journal.