Mt. Baker Imaging and Northwest Radiologists have agreed to pay $3,300,000 to settle a consolidated class action lawsuit stemming from a January 2025 ransomware attack and data breach affecting hundreds of thousands of patients.

Mt. Baker Imaging is a Washington-based medical imaging provider that uses Northwest Radiologists for interpreting medical images. In January 2025, a cyberattack was identified, and the forensic investigation determined that an unauthorized third party accessed its network between January 20, 2025, and January 25, 2025, and obtained files containing names, contact information, dates of birth, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, and health insurance information. The data breach was reported to the Washington Attorney General as affecting 348,118 state residents, and the HHS’ Office for Civil Rights was informed that the protected health information of up to 362,713 individuals was compromised in the incident.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated in a single complaint – In re: Mt. Baker Imaging, LLC, Data Security Litigation – in the Superior Court of the State of Washington for Whatcom County. The lawsuit alleged that the defendants failed to implement and maintain necessary data security safeguards, and asserted claims for negligence, breach of implied contract, invasion of privacy-intrusion upon seclusion, unjust enrichment, and violations of the Uniform Health Care Information Act, Washington Consumer Protection Act, Washington Data Breach Notification Disclosure Law, and Washington My Health My Data Act.

The defendants and the plaintiffs disagree about the legal claims made in the litigation; however, all parties agreed that a settlement was the best outcome, due to the benefits provided to the class members and the avoidance of the costs, risks, and uncertainty of continuing with the litigation. The defendants have agreed to establish a $3,300,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the nine class representatives. The remainder of the settlement fund will be used to pay benefits to approximately 340,184 class members.

All class members are entitled to claim a two-year membership to a medical identity theft protection and monitoring service, and may submit claims for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and claim a pro rata cash payment. The pro rata cash payments will distribute the net amount of the settlement fund after costs, expenses, claims, and medical identity theft protection and monitoring costs have been paid.

The deadline for objection and exclusion is July 20, 2026, and claims must be submitted by August 19, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 21, 2026.

The post $3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists appeared first on The HIPAA Journal.

FMC Services, LLC, which does business as Family Medicine Centers in Texas, has agreed to a $2,150,000 settlement to resolve claims related to a July 2022 data breach. Amarillo, TX-based Family Medicine Centers is a network of four primary care clinics in Amarillo and Canyon, and urgent care clinics operating under the name of CareXpress.

On or around July 26, 2022, a data security incident was identified. Unauthorized individuals accessed its network systems, which contained personally identifiable information (PII) and protected health information (PHI) such as names, mailing addresses, birth dates, and Social Security numbers, and health information. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. According to the lawsuit, notification letters were sent to 266,540 individuals.

Multiple lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit alleged that the defendant had implemented inadequate data security measures, resulting in an intrusion and the theft of sensitive data. The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment, and sought declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.

Family Medicine Centers denied and continues to deny all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability. In mid-2024, the parties began discussing the prospect of a settlement to bring the litigation to an end. A mediation session was scheduled but ended without a settlement being reached. Following extensive discovery and litigation, and a failed defendant’s Motion for Summary Judgment, the parties agreed to a second attempt at mediation, and the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court. The final fairness hearing has been scheduled for September 15, 2026. The defendant has agreed to establish a $2,150,000 settlement fund, which will be used to pay benefits to the class members, once attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives have been deducted.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. If a claim for reimbursement of losses is not submitted, class members may instead file a claim for an alternative cash payment, which is estimated to be $75 per class member, although the amount depends on the remaining funds once the reimbursement claims have been paid.

In addition to one of the cash payments, a claim may be submitted for a two-year membership to a medical data monitoring service. Class members wishing to object to or exclude themselves from the settlement must do so by August 17, 2026. Claims must be submitted by August 31, 2026.

The post Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit appeared first on The HIPAA Journal.

Deanco Healthcare, LLC, the operator of Mission Community Hospital, an acute care hospital serving patients in the San Fernando Valley in California, has agreed to a settlement to resolve claims stemming from a cyberattack that was discovered by the hospital on May 1, 2023.

According to the forensic investigation, the unauthorized access started the same day, and while the attack was quickly identified and contained, the threat actor exfiltrated files containing patient data such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and financial account information. The Ransomhouse ransomware group took responsibility for the attack and claimed to have exfiltrated around 2.5 terabytes of data. The data breach was reported to the HHS’ Office for Civil Rights as affecting 269,547 individuals.

Two class action lawsuits were filed in response to the data breach in the Superior Court of California for the County of Los Angeles, which were consolidated into a single action – Concepcion et al. v. Deanco Healthcare – as they had overlapping claims.  The consolidated lawsuit claimed that the defendant was negligent and should have prevented the cyberattack and data breach. The claims were denied by the defendant, which maintains that there was no wrongdoing and that there is no liability. All parties ultimately agreed to a settlement to avoid the costs of continued litigation and the uncertainty of a trial.

Mission Community Hospital in California has agreed to pay $1.546,409.42 to settle the lawsuit. Class members – individuals who were notified by Mission Community Hospital, Deanco Healthcare, or a Deanco affiliate that they had been affected by the incident – may claim one or more benefits, which will be paid after attorneys’ fees and expenses ($541,243.30 + up to $50,000), settlement administration costs (up to $235,400), and service awards for the class representatives ($2,000 each; $4,000 total) have been paid. Should claims exceed the residual funds, they will be paid pro rata.

Class members are entitled to claim a two-year membership to a medical data monitoring service, and California residents at the time of the data breach may claim a $100 statutory payment. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a cash payment, which will be paid pro rata from the residual funds after the above benefits have been paid. The deadline for objection and opting out is July 13, 2026. The deadline for filing a claim is August 12, 2026, and the final approval hearing has been scheduled for September 9, 2026.

The post Mission Community Hospital Pays $1.55M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

The owner and operator of a Michigan home health care company has been convicted of five counts of healthcare fraud and four counts of paying illegal healthcare kickbacks and now faces decades in jail. Ruby Scott, 55, of Farmington Hills, Michigan, the owner and operator of Delta Home Health Care LLC, was alleged to have operated a fraud scheme that caused more than $1.6 million in losses to the Medicare program. From 2018 to 2021, Scott was alleged to have fraudulently billed Medicare for home health services using stolen patient records.

Scott bribed a discharge nurse at a Detroit hospital to identify Medicare patients and fax their medical records to Delta Home Health Care. Scott developed a kickback relationship with the nurse, paying approximately $300 for each set of patient records that were successfully used to bill Medicare. The discharge nurse was paid more than $130,000 via PayPal, CashApp, cash, and check for providing the records.

Scott used confidential diagnostic and personal information to bill Medicare for home healthcare services for the patients, falsely representing that a doctor had certified that the patients satisfied the Medicare requirements for home health care services. The patients were unaware that their personal and health information was being used to submit false claims, and the doctors had never met any of the patients and did not know that their information was being used on the fraudulent claims. Medicare paid approximately $1.2 million to Delta, causing approximately $1.6 million in losses to the Medicare program.

Scott was charged with multiple counts of fraud and operating an illegal kickback scheme and was recently convicted by a federal jury in the Eastern District of Michigan. The jury found Scott guilty of five counts of health care fraud, conspiracy to defraud the United States, and pay illegal health care kickbacks, and four counts of paying illegal health care kickbacks. The healthcare fraud and kickback counts each carry a maximum sentence of 10 years in prison, and Scott faces a maximum of 5 years in jail for the conspiracy count. Scott is due to be sentenced on September 24, 2026.

“The [Department of Justice] Fraud Division is laser-focused on investigating and prosecuting those who commit fraud against the American people,” explained the Department of Justice in a press release announcing the guilty verdict. “The Department’s work to combat fraud supports President Trump’s Task Force to Eliminate Fraud, a whole-of-government effort chaired by Vice President J.D. Vance to eliminate fraud, waste, and abuse within Federal benefit programs.”

The post Home Healthcare Agency Owner Facing Decades in Jail for $1.6M Medicare Fraud Scheme appeared first on The HIPAA Journal.

A settlement has been agreed to resolve a class action lawsuit against Ciox Health, which does business as Datavant Group, an Arizona-based health IT company, over a May 2024 email-related data breach.

Suspicious activity was identified within an employee’s email account on May 9, 2024. The forensic investigation confirmed that an unauthorized individual had access to the account between May 8 and May 9, 2024. Access to the account was gained after an employee responded to a phishing email. The breach was reported to the HHS’ Office for Civil Rights as affecting 320,702 individuals. Data potentially compromised in the incident included names, dates of birth, addresses, contact information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and health information.

A lawsuit was filed in response to the data breach – Jackson v. Ciox Health, LLC d/b/a Datavant Group – in the United States District Court for the District of Arizona. The lawsuit alleged that the defendant failed to implement sufficient security measures to protect patients’ sensitive information. The lawsuit alleged that the failure amounted to negligence and that the defendant had violated the Illinois Consumer Fraud and Deceptive Business Practices Act.

As is common in class action data breach lawsuits, the parties explored the possibility of an early resolution to the lawsuit to avoid the costs and risks associated with continuing with the litigation. An appropriate settlement was agreed upon by all parties, and the settlement has received preliminary approval from the court. Datavant Group has agreed to pay $900,000 to resolve the lawsuit. The settlement fund will be used to pay attorneys’ fees and expenses, service awards for the class representatives, settlement administration and notification costs, and benefits for the class members. While the OCR breach portal states that more than 320,000 individuals were affected, the class consists of 58,309 individuals.

Class members may submit a claim for up to $5,000 as reimbursement for documented, unreimbursed losses incurred as a result of the data breach. Alternatively, a claim may be submitted for a one-time pro rata cash payment. The amount of each cash payment will depend on the number of valid claims received. In addition to one of those benefits, class members may also enroll in one year of expanded identity theft protection and fraud monitoring services. The deadline for objection and exclusion is July 20, 2026. Claims must be submitted by August 18, 2026, and the final fairness hearing has been scheduled for September 4, 2026.

The post Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Endue Software has agreed to pay $870,000 to settle a class action lawsuit that was filed in response to a cyberattack and data breach that affected more than 118,000 individuals. Endue Software is a software-as-a-service company that provides an infusion management platform to healthcare providers for managing infusion operations. On February 17, 2025, suspicious activity was identified within its systems. The forensic investigation confirmed unauthorized access for a short period on February 17, 2025, during which time files containing patient information were copied. Data compromised in the incident included full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The affected individuals were notified on April 11, 2025.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Pauley, et al. v. Endue Inc. d/b/a Endue Software – in the United States District Court for the District of Maine. The consolidated lawsuit alleged that the data breach occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures and should have been prevented.

The lawsuit asserted claims for negligence/negligence per se, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment/injunctive relief. Endue Software denies all claims and contentions in the lawsuit, and maintains there is no liability and that there was no wrongdoing. Shortly after filing the lawsuit, the parties explored the possibility of an early resolution and agreed that the appropriate venue was the 17th Judicial Circuit in and for Broward County, Florida, for settlement discussions. The consolidated lawsuit was dismissed and refiled in Florida, asserting claims for negligence/negligence per se, and breach of third-party beneficiary contract.

The terms of a settlement were agreed upon, and the settlement has received preliminary approval from the court. The settlement provides two years of medical data and credit monitoring services, and class members may claim one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $65.

A $260,000 fund has been established to cover the alternative cash payments, which will be subject to a pro rata increase or decrease depending on the number of claims received. The total settlement fund is capped at $870,000. The deadline for objection to and exclusion from the settlement is June 30, 2026. The deadline for filing a claim is June 30, 2026, and the final fairness hearing has been scheduled for July 15, 2026.

The post Endue Software Agrees to $870,000 Data Breach Settlement appeared first on The HIPAA Journal.

American Multispecialty Group, doing business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Esse Health faced multiple class action lawsuits in response to the data breach, and the consolidated class action lawsuit has recently been settled. Esse Health has agreed to pay $2,525,000 to resolve the lawsuit.

The cyberattack was detected by Esse Health on April 21, 2025, and the forensic investigation confirmed that the hackers obtained sensitive data such as names, addresses, birth dates, health information, and health insurance information. Around 5,000 individuals also had their Social Security numbers compromised in the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 23,671 patients; however, the data breach was much more extensive. The Maine Attorney General was informed that the breach affected 263,601 individuals. The lawsuit states that approximately 521,167 individuals were affected.

The data breach was first announced by Esse Health on May 15, 2025, and shortly thereafter, a class action lawsuit was filed by Plaintiff Casten Clausner in the U.S. District Court for the Eastern District of Missouri. A further seven plaintiffs filed similar actions in state court in St. Louis County and the City of St. Louis. All actions were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, in June 2025.

The consolidated lawsuit – Clausner et al. v. American Multispecialty Group – claims that the data breach could have been prevented and was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of confidence, breach of fiduciary duty, invasion of privacy, unjust enrichment, violation of the Missouri Merchandise Practices Act, and declaratory and injunctive relief. Esse Health maintains that there was no wrongdoing and is no liability; however, following mediation, a settlement was agreed upon by all parties to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, Esse Health has agreed to establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 8 class representatives, and benefits for the class members. After costs and expenses have been deducted from the settlement fund, the remainder will be used to pay for class member benefits. While most class action lawsuit settlements allow class members to submit a claim for reimbursement of losses, this settlement only provides a pro rata cash payment, which is expected to be $50 per class member. The payments may be higher or lower depending on the number of claims received.

In addition, class members are entitled to enroll in two years of medical identity protection services, which include a $1 million medical identity theft insurance policy. The cost of the medical identity protection will be paid separately by Esse Health. The settlement has received preliminary approval from the court. The deadline for objection and exclusion from the settlement is July 5, 2026. Claims must be submitted by August 4, 2026, and the final approval hearing has been scheduled for August 3, 2026.

The post Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Gandara Mental Health Center in Springfield, Massachusetts, has agreed to settle class action litigation stemming from a June 2024 cyberattack and data breach that affected 17,543 individuals. The cyberattack was detected on June 20, 2024, and Gandara Mental Health Center determined that personal and protected health information, such as names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, treatment information, and health insurance information, had been compromised. The hackers claimed to have exfiltrated approximately 450 GB of data.

A class action lawsuit was filed in the Court in the Commonwealth of Massachusetts, Hampden County – Eugene Mitchell v. Gandara Mental Health Center, Inc. – in response to the data breach that alleged that the defendant failed to properly secure its network, leading to the theft of the plaintiffs’ personal and protected health information. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Gandara Mental Health Center denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

All parties agreed upon a settlement to avoid further legal costs and expenses and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to enroll in three years of identity theft protection and medical data monitoring services. A claim may also be submitted for reimbursement of up to $500 in ordinary losses, including up to four hours of lost time at $25 per hour, and up to $5,000 in extraordinary losses incurred as a result of the data breach. If a claim is not submitted for reimbursement of losses and lost time, an alternative one-time cash payment of $60 can be claimed. Benefits for the class members have been capped at $900,000 and will be reduced pro rata if that total is exceeded.

The deadline for objection to and exclusion from the settlement is July 24, 2026. Claims must also be submitted before that date. The final approval hearing has been scheduled for August 25, 2026.

The post Gandara Mental Health Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Oglethorpe, a Tampa, FL-based network of mental health and addiction recovery treatment facilities, was sued in response to a June 2025 hacking incident in which the personal and protected health information of 92,000 current and former patients and employees was stolen. The lawsuit has recently been settled and a cash fund of $350,000 will be created to cover benefits for class members.

The hacking incident was discovered in June 2025. The forensic investigation determined that the hacker exfiltrated information such as names, Social Security numbers, driver’s license or state identification numbers, and medical information. The affected individuals started to be notified about the incident on October 31, 2025. Multiple class action lawsuits were filed in response to the data breach, alleging that it could have been prevented had reasonable and appropriate cybersecurity measures been implemented.

The lawsuits were consolidated – Scott, et al. v. Oglethorpe, Inc.– in the Circuit Court for Broward County, Florida, since they had overlapping claims and were based on the same facts. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment, as well as requesting declaratory and injunctive relief. Oglethorpe denies wrongdoing, fault, and liability.

All parties explored the opportunity for early resolution of the lawsuit to avoid unnecessary legal costs and the uncertainty of a trial and related appeals. Following several weeks of arms-length negotiations, a settlement was agreed upon that was acceptable to all parties. Under the terms of the settlement, Oglethorpe has agreed to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. A fund of $350,000 will be created to cover benefits for the class members.

All class members may enroll in one year of medical data monitoring services, which include a $1 million medical identity theft insurance policy. They may also claim one of two cash benefits: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $75. That cash payment is subject to a pro rata reduction should the claim total exceed $350,000.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 22, 2026. Claims must be submitted by August 8, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 8, 2026.

The post Oglethorpe Settles Data Breach Lawsuit appeared first on The HIPAA Journal.