Essen Medical Associates has agreed to pay $4,000,000 to resolve class action litigation over a March 2023 cyberattack and data breach that affected 904,672 current and former patients. Essen Medical, a New York-based healthcare provider, experienced a cyberattack that saw hackers access its network between March 14, 2023, and March 22, 2023.

Data exposed in the incident included personally identifiable information and protected health information such as names, driver’s license numbers/state identification numbers, U.S. alien registration numbers, non-U.S. identification numbers, passport numbers, financial account information, dates of birth, Social Security numbers, medical treatment information, and health insurance information.

The data breach sparked several class action lawsuits, which were consolidated – Rivera, et al. v. Essen Medical Associates, P.C – in the Supreme Court of the State of New York, County of Bronx. The consolidated lawsuit alleged that the cyberattack was preventable and was the result of the defendant’s failure to implement adequate and appropriate cybersecurity procedures and protocols. The lawsuit claimed that the defendants recklessly maintained data on systems vulnerable to cyberattacks.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violation of the New York Deceptive Trade Practices Act. Essen Medical denies all charges of wrongdoing or liability, and all claims or contentions alleged against it. All parties agreed that a settlement was the best outcome, and class counsel and the six class representatives believe that the settlement is fair. The settlement has recently received preliminary approval from the court and awaits final approval.

Under the terms of the settlement, Essen Medical will establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and all costs related to the settlement. The attorneys’ fees will be no more than 33.33% of the settlement fund, and the service awards will be no more than $3,000 per class representative. The remainder of the fund will be used to pay for class member benefits.

Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition, a claim may be submitted for a cash payment of up to $100 per class member. The deadline for objecting to the settlement and exclusion is May 4, 2026. Claims must be submitted by June 1, 2026, and the final fairness hearing has been scheduled for July 7, 2026.

The post Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).

Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.

On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.

Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.

The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.

The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.

Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals (Cornerstone), has agreed to settle class action litigation stemming from a December 2023 cyberattack and data breach.

A threat actor gained access to the Cornerstone network on or around December 19, 2023, and potentially accessed and copied patient information. Data potentially compromised in the incident included names, dates of birth, Social Security numbers, federal or state ID numbers, financial account information, credit or debit card information, digital signatures, email addresses and passwords, usernames and passwords, passport numbers, medical/health information, health insurance information, and other protected health information. Initially, the data breach was reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals. The total was later updated to 484,957 individuals.

A lawsuit – Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals – was filed in the Court of the Western District of Kentucky, Louisville Division, in response to the data breach. The lawsuit alleged that the data breach was a direct result of the defendant’s failure to take necessary and appropriate steps to secure sensitive data on its network, and failed to issue timely notifications, which were mailed on or around July 1, 2024, more than 6 months after the incident occurred.

The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and declaratory relief. Cornerstone denies all claims of fault, wrongdoing, and liability, but agreed to a settlement to avoid further legal costs and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and is in the best interests of the class members.

Cornerstone has agreed to establish a $2,350,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and settlement fund taxes and tax expenses. The remainder of the fund will be used to pay for benefits to the class members. Individuals whose Social Security numbers were compromised in the incident may claim two years of three-bureau credit monitoring and identity theft protection services. They may also submit a claim for reimbursement of documented, unreimbursed extraordinary losses due to the data breach, up to a maximum of $10,000 per individual.

All class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach. Claims are capped at $2,500 per individual for ordinary losses. Class members who do not submit a claim for reimbursement of losses, either ordinary or extraordinary losses, may instead claim a pro rata cash payment, which will be paid once costs and claims have been paid. Individuals whose Social Security numbers were exposed will receive a cash payment equal to three times the amount paid to non-SSN subclass members. The data for objection and exclusion is April 8, 2026. The deadline for submitting a claim is May 8, 2026, and the final approval hearing has been scheduled for May 14, 2026.

The post $2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit appeared first on The HIPAA Journal.

A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.

Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.

Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.

Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.

In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.

If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.

The post Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records appeared first on The HIPAA Journal.

General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit over a 2024 data breach.

Suspicious activity was identified within its email environment on June 12, 2024. The forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024. Patient information exposed and potentially stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information. The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total was later updated to 167,387 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated – Newhart v. General Physician, P.C. – in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network. General Physician maintains that there was no wrongdoing and that there is no liability. All parties explored an early settlement and, following mediation, the material terms of a settlement were agreed. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for June 4, 2025.

Under the terms of the settlement, General Physician has agreed to establish a $2,500,000 settlement fund, which will be used to pay benefits to the class members after attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives have been deducted. While the OCR breach portal states that the protected health information of up to 167,387 individuals was compromised in the incident, the settlement class consists of approximately 490,210 individuals.

Class members are entitled to claim a two-year membership to a single-bureau credit monitoring and medical data monitoring service. In addition, they may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the pro rata cash payment will depend on the number of valid claims received. Based on the estimated response rate, the cash payments are expected to be approximately $60. The deadline for objecting to the settlement and opting out is April 27, 2026. Claims must be submitted by May 27, 2026.

The post General Physician Pays $2.5 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Asheville Eye Associates, an eye care provider serving patients in Western North Carolina, has agreed to settle class action litigation stemming from a November 2024 cyberattack and data breach.

A cyber threat actor accessed its network and potentially viewed or obtained patient information, including names, addresses, health insurance information, and medical treatment information. The Asheville Eye Associates data breach was reported to the HHS’ Office for Civil Rights as affecting 204,984 individuals. The DragonForce ransomware group took credit for the attack and claimed to have exfiltrated 540 GB of data before encrypting files. The data was leaked when the ransom was not paid. The affected individuals were notified about the attack in early February 2024.

Multiple lawsuits were filed in response to the data breach by plaintiffs Robert Woodsmall, Mimi Reynolds, Dena Brito, Robert Ricchetti, and Christopher Miller. The lawsuits were consolidated, In re Asheville Eye Associates Data Incident Litigation, in South Carolina’s General Court of Justice Superior Court Division. The lawsuit asserted several claims, including negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Asheville Eye Associates denies all claims and contentions in the lawsuit and maintains there was no wrongdoing.

Following mediation, all parties agreed to settle the litigation to avoid further litigation costs and expenses, and the uncertainty of a trial. Under the terms of the settlement, Asheville Eye Associates has agreed to pay for attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and several benefits for the class members.

Attorneys’ fees and expenses will not exceed $500,000, settlement administration costs are $53,000, and service awards of $1,250 per class representative (total: $6,250) have been approved. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,250 per class member. All class members may claim one year of identity theft protection services, and will automatically receive a $10 voucher that can be used toward the purchase of eyeglasses at any Asheville Eye Associates location (except its 21 Medical Park Drive, Asheville, North Carolina location).

The deadline for objection, exclusion, and submitting a claim is April 6, 2026. The final fairness hearing has been scheduled for May 14, 2026.

The post Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack appeared first on The HIPAA Journal.

Rebound Orthopedics & Neurosurgery, a Vancouver, WA-based orthopedic and neurosurgery practice, has agreed to pay $2,500,000 to settle a class action lawsuit over a February 2024 security incident involving unauthorized access to the protected health information of 426,536 patients. Data compromised in the incident included names, dates of birth, medical information, health insurance information, Social Security numbers, financial account information, driver’s license numbers, and passport numbers.

The affected patients started to be notified on April 15, 2024, and the first class action lawsuit related to the data breach was filed on February 7, 2025, in the Superior Court of the State of Washington, Clark County. A further five class action lawsuits were filed by other affected individuals, which were consolidated in the same court – Cooper, et al. v. Rebound Orthopedics & Neurosurgery P.C.

The consolidated lawsuit alleged that Rebound Orthopedics & Neurosurgery was at fault, as reasonable and appropriate cybersecurity measures had not been implemented prior to the data breach. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Washington Consumer Protection Act and the Oregon Unlawful Trade Practices Act. Rebound Orthopedics & Neurosurgery denies all claims of fault, wrongdoing, and liability.

To avoid the costs, expenses, distraction, and burden of continuing with the litigation, and the uncertainty of a trial and related appeals, all parties agreed to settle the lawsuit. Class counsel and the class representatives believe that the settlement is fair. Under the terms of the settlement, Rebound Orthopedics & Neurosurgery has agreed to establish a $2,500,000 settlement fund to cover attorneys’ fees and expenses, notification and settlement costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for a two-year membership to the CyEx Medical Shield Complete credit and medical data monitoring service, plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses incurred due to the data breach up to $5,000 per class member. Alternatively, a claim may be submitted for a one-time pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection to and exclusion from the settlement is May 28, 2026. Claims must be submitted by May 28, 2026, and the final fairness hearing has been scheduled for June 12, 2026.

The post Rebound Orthopedics & Neurosurgery Pays $2.5 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

The New York-based health systems, Catholic Health System & Northwell Health, have agreed to settle class action lawsuits stemming from their use of pixels and other website tracking and analytics tools, which are alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without consent.

Website tracking and analytics tools are used extensively across the internet for tracking website visitors. While these tools can collect valuable information to help website owners improve their websites, they can also collect and transmit sensitive data to the third-party providers of the tools. That disclosed information may then be used for advertising purposes.

Depending on how these tools are implemented, they may violate the HIPAA Privacy Rule, such as if they are added to web pages or apps that require authentication. Over the past three years, many lawsuits have been filed over the use of these tools by healthcare providers. HIPAA has no private cause of action, so individuals cannot sue for HIPAA violations. The lawsuits were filed for alleged violations of federal wiretapping laws and state consumer protection laws.

Catholic Health System Pixel Settlement

Catholic Health System, a non-profit integrated health system based in Buffalo, New York, was sued for implementing these tools, which resulted in impermissible disclosures of protected health information to Meta and other third parties. The defendant filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed, and an amended complaint – J.C. v. Catholic Health System, Inc. – was filed in the Supreme Court of the State of New York, County of Erie.

Catholic Health System denies any wrongdoing whatsoever and also denies that tracking technologies were added to its patient portal or electronic medical record system; however, following mediation, a settlement was agreed upon by all parties. The settlement provides benefits to all patients who logged into the Catholic Health System MyChart patient portal from January 1, 2020, through December 11, 2025 (Subclass 1), and any current or former patient who sought and received treatment from Catholic Health System between the same dates, not including individuals in Subclass 1 (Subclass 2).

The defendant has agreed to pay all attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members in Subclass 1 may submit a claim for a one-time cash payment of $20, and members of Subclass 2 may submit a claim for a 12-month membership to a Dashlane privacy monitoring service. Class members have until March 11, 2026, to object to the settlement or exclude themselves. Claims must be submitted by April 10, 2026, and the final fairness hearing has been scheduled for April 23, 2026.

Northwell Health Pixel Settlement

Northwell Health, a New York-based nonprofit integrated healthcare serving patients in New York and Connecticut, faced similar class action litigation over the use of website tracking tools that were alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without patients’ knowledge or consent. Through these tools, the defendant is alleged to have disclosed information related to past, present, or future health conditions, which would allow third parties to determine that an individual was a patient or seeking treatment, together with the type of medical care being sought.

The lawsuit, Kaplan v. Northwell Health, Inc., was filed in the Supreme Court of the State of New York, County of Kings and asserted claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment, negligence, invasion of privacy under New York Civil Rights Law, violations of the New York Consumer Law for Deceptive Acts and Practices, and violations of the Electronic Communications Privacy Act.

The defendant denies all claims of fault, wrongdoing, and liability and disagrees with all contentions in the lawsuit; however, to avoid the expense of ongoing litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation. There are two settlement classes, with different benefits. Individuals who used Northwell Health’s FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, are in Settlement Subclass 1 and may submit a claim for monetary relief of $15 per class member. All other patients of Northwell Health between January 1, 2020, and July 25, 2024, not including those in Settlement Subclass 1, are in Settlement Subclass 2 and may claim a 12-month membership to a privacy monitoring service.

The deadline for objection and opting out is March 23, 2026. The deadline for submitting a claim is April 20, 2026, and the final fairness hearing has been scheduled for April 21, 2026.

The post Catholic Health System & Northwell Health Settle Pixel Lawsuits appeared first on The HIPAA Journal.