Legal News about HIPAA Compliance

Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement

Another healthcare provider has agreed to settle a class action lawsuit over its use of Meta Pixel and other third-party analytics and tracking tools on its website. Children’s Hospital Medical Center of Akron, doing business as Akron Children’s Hospital, was alleged to have added these tools to its website, but their use and implementation resulted in website visitors’ personally identifiable information being disclosed to Facebook and other third parties without the web visitors’ knowledge or consent.

On January 5, 2024, plaintiff John Doe filed a lawsuit – Doe v. Children’s Hospital Medical Center of Akron – against Akron Children’s Hospital in the Court of Common Pleas, Summit County, Ohio, individually, and as next friend of minors A.D., B.D., and C.D., and other similarly situated individuals. The plaintiff alleged that his own PII and that of his minor children and other individuals was disclosed to third parties such as Meta (Facebook), Google, and others without their knowledge or consent, resulting in an invasion of privacy.

In addition to invasion of privacy – intrusion upon seclusion, the lawsuit asserted claims of negligence, negligence per se, breach of confidence, unjust enrichment, and interception and disclosure of electronic communications. Akron Children’s Hospital denies all claims asserted in the lawsuit and all allegations of wrongdoing and liability; however, it attempted mediation to avoid further litigation costs and the uncertainty of a jury trial. While initial mediation efforts failed, after several months of negotiation, a settlement was agreed that was acceptable to all parties. The settlement agreement has now received preliminary approval from Judge Alison McCarty.

The settlement agreement addresses the harm caused by the alleged data disclosure, the potential for future harm, and economic losses incurred by the plaintiffs and the 313,700 class members. All class members will be entitled to claim a one-time cash payment of $19 and will be provided with two years of credit monitoring and identity theft protection services, which include dark web monitoring, lost wallet assistance, a $1 million identity theft insurance policy, and fully managed identity theft restoration and advisory services.

Akron Children’s Hospital will also pay attorneys’ fees, costs, and expenses, settlement administration costs, service awards for class members, and has agreed to injunctive relief, which includes the removal of pixels from its public-facing website, and a commitment not to add pixels to its patient portal or any forms on its public-facing website. Akron Children’s Hospital is permitted to use pixels that are essential for website functionality and may use HIPAA-compliant third-party companies in the future for analytics functions, provided a business associate agreement is in place.

The deadline for exclusion from the settlement, objection, and submitting a claim is September 29, 2025. The final approval hearing has been scheduled for October 10, 2025.

The post Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement appeared first on The HIPAA Journal.

Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million

Mount Sinai Health System, the largest hospital network in New York City, has agreed to a $5.3 million settlement to resolve allegations it violated federal and state laws by sharing the personal health information of website and patient portal users with Facebook without their knowledge or consent.

Legal action was taken against Mount Sinai Health over its use of the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal between October 2020 and October 2023. The tool can collect information about website users and transmit that information to Facebook. Mount Sinai Health has denied any wrongdoing and specifically denies that any medical information from either its website or patient portal was shared with Facebook.

The lawsuit – Cooper, et al., v. Mount Sinai Health System, Inc. – was filed in the United States District Court for the Southern District of New York by plaintiffs Ronda Cooper, Coral Fraser, David Gitlin, and Gilbert Manda, who alleged that their personally identifiable health information was being collected and shared with Facebook without their knowledge or consent due to the implementation of CAPI, in violation of the federal Electronic Communications Privacy Act and New York Deceptive Trade Practices. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

The lawsuit survived a motion to dismiss and proceeded to discovery. During discovery, the parties engaged in mediation, and a settlement was agreed in principle to bring the litigation to an end to avoid the cost and risk of a trial and related appeals, while giving appropriate benefits to class members. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

The settlement class consists of 1,314,147 individuals, and claims will be accepted from individuals who logged into their MyChart account via the mountsinai.org website between October 27, 2020, and October 27, 20-23. Under the terms of the settlement, Mount Sinai Health has agreed to establish a $5,256,588 settlement fund to cover legal costs and expenses and claims from class members. The plaintiffs’ attorneys will receive up to 35% of the settlement fund and reimbursement of court-approved attorneys’ expenses. Settlement administration costs of up to $200,000 will also be deducted, along with service awards of $2,500 per named plaintiff. The remainder of the settlement fund will be distributed to class members on a pro rata basis.

The deadline for objecting to the settlement, opting out, and filing a claim for benefits is October 14, 2025. The final approval hearing has been scheduled for October 24, 2025.

The post Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million appeared first on The HIPAA Journal.

$2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare

Hot on the heels of the Blacksuit ransomware disruption comes another announcement about major enforcement action against a ransomware group. The U.S. Department of Justice has announced the seizure of $2.8 million in cryptocurrency from the suspected operator of the now-defunct Zeppelin ransomware group.

Six warrants were recently unsealed by federal prosecutors in the U.S. District Courts for the Eastern District of Virginia, the Central District of California, and the Northern District of Texas, which authorized the seizure. The funds were held in a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been indicted in Texas on charges of computer fraud and money laundering. A luxury vehicle and $70,000 in cash were also seized. The funds are suspected of being obtained from companies attacked with Zeppelin ransomware between 2019 and 2022.

While Zeppelin was not the most prolific ransomware operation, the group was responsible for attacks on many U.S. entities, especially those in healthcare and IT, typically targeting vulnerabilities in MSP software. Zeppelin was a ransomware-as-a-service (RaaS) operation that paid affiliates to conduct attacks for a cut of any ransom payments they generated. The group engaged in data theft, file encryption, and extortion, demanding payment for the decryption keys and to ensure data deletion.

The proceeds from the attacks were laundered in a number of ways, such as exchanging the funds for cash and depositing them in structured cash deposits. ChipMixer, a dark web cryptocurrency mixing service, was also used to hide the origin of the cryptocurrency. Through ChipMixer, funds were cashed out in untraceable chips that could be paid into clean cryptocurrency wallets. ChipMixer was taken down in an international law enforcement operation in 2023 that was coordinated by Europol. The operation resulted in the seizure of $46.5 million in cryptocurrency. According to the DOJ, some of the funds were

While the Blacksuit operation was conducted against an active ransomware group, the latest announcement shows that action can and will be taken against cybercriminals for their historic crimes. This case is being handled by Trial Attorney Benjamin Bleiberg of the Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Jongwoo “Daniel” Chung for the Northern District of Texas.

Since 2020, CCIPS has obtained court orders to seize more than $350 million in victim funds and has secured the convictions of more than 180 cybercriminals. Along with partners such as the FBI, CCIPS has disrupted the operations of many ransomware groups and has prevented payments of over $200 million by victims of ransomware groups.

The post $2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare appeared first on The HIPAA Journal.

Federal Judge Blocks HHS from Sharing Medicaid Data with ICE

A federal judge has ordered the U.S. Department of Health and Human Services (HHS) to stop sharing the data of Medicaid enrollees with Immigration and Customs Enforcement (ICE) at the Department of Homeland Security for immigration enforcement purposes.

The Medicaid program provides health insurance for individuals with limited income and resources, such as low-income adults, children, pregnant women, elderly adults, and people with disabilities. There are currently around 79 million Medicaid enrollees in the United States. Anyone living in the United States illegally is not permitted to enroll in the federal Medicaid program, although seven states permit non-U.S. citizens to participate in their state Medicaid programs, but do not bill the federal government for the costs.

In June 2025, under the direction of HHS Secretary Robert F. Kennedy Jr., the HHS’s Centers for Medicare and Medicaid Services (CMS) started sharing the personal data of Medicaid recipients with ICE under a new data-sharing agreement. Staff at the CMS attempted to block the data transfers but were overruled by Secretary Kennedy’s advisors. ICE has had a 12-year policy of not using Medicaid data for enforcement purposes, and CMS has previously restricted the use of Medicaid data to the administration of its healthcare programs.

The HHS maintains that the access is being provided as part of the Trump Administration’s push to rid the country of illegal aliens. The data provided by the CMS provides ICE agents with identity and location information to allow those individuals to be found by enforcement officers, and stop federal funds intended for law-abiding Americans from being used to pay for Medicaid benefits for illegal aliens.

When the decision to share Medicaid data with ICE came to light in June, a coalition of 20 state attorneys general took legal action to prevent the HHS from sharing Medicaid data with ICE; however, a further agreement was entered into in July, which provided DHS with daily access to the Medicaid data stream. The shared data includes names, addresses, birth dates, ethnicities, and Social Security numbers, which may not be downloaded, but can be viewed by ICE officials until September 9, 2025, between 9 a.m. and 5 p.m.

The state attorneys general argued that the sharing of Medicaid data with DHS was in violation of HIPAA and threatened to undermine the Medicaid program. “The move to use Medicaid data for immigration enforcement upended longstanding policy protections without notice or consideration for the consequences,” said California Attorney General Rob Bonta. “As the president continues to overstep his authority in his inhumane anti-immigrant crusade, this is a clear reminder that he remains bound by the law.”

Judge Vince Chhabria, a District Court Judge in the Northern District of California, sided with the state attorneys general and ruled that the HHS must stop sharing Medicaid data with ICE for immigration enforcement purposes that was obtained from the 20 states that participated in the lawsuit. The preliminary injunction will remain in place until 14 days after HHS and DHS complete a reasoned decision-making process that complies with the Administrative Procedures Act, or the litigation is concluded.

In his ruling granting a preliminary injunction, Judge Chhabria said, “Using CMS data for immigration enforcement threatens to significantly disrupt the operation of Medicaid—a program that Congress has deemed critical for the provision of health coverage to the nation’s most vulnerable residents.” While he wrote that there is nothing categorially unlawful about the DHS obtaining data on individuals obtained from government agencies such as the HHS for immigration enforcement purposes, since 2013, ICE has had a well-publicized policy against using Medicaid data for its enforcement activities, and the CMS has a long-standing policy of not sharing patients’ personal data for reasons other than those related to its healthcare programs, and even states so on its website.

“Given these policies, and given that the various players in the Medicaid system have relied on them, it was incumbent upon the agencies to carry out a reasoned decisionmaking process before changing them,” wrote Chhabria in his ruling. “The record in this case strongly suggests that no such process occurred.”

The post Federal Judge Blocks HHS from Sharing Medicaid Data with ICE appeared first on The HIPAA Journal.

Nuance Communications Settles MOVEit Lawsuit for $8.5 Million

A District Court judge has recently given preliminary approval of an $8.5 million settlement to resolve a consolidated class action complaint against the HIPAA business associate Nuance Communications over a May 2023 data breach.

Nuance Communications is a Microsoft-owned computer software company based in Burlington, Massachusetts. The company provides speech recognition solutions and is a vendor to the healthcare industry.  Its AI-powered healthcare software solutions are used by physicians and radiologists to deliver personalized and connected experiences to improve care management.

Nuance used Progress Software’s MOVEit Transfer software solution for file transfers. In May 2023, a hacking group known to target file transfer solutions found and exploited a zero-day vulnerability that allowed access to data stored within the MOVEit environment.  Nuance has previously confirmed that 13 of its healthcare provider clients were affected. The breached data included names, addresses, email addresses, birth dates, and information related to health records and health insurance. Nuance said 1,225,054 individuals were affected. In total, the breach involved unauthorized access to the personal data of approximately 93 million individuals.

Many class action lawsuits were filed in relation to the MOVEIt data breach, six of which were filed against Nuance Communications and were consolidated into a single complaint – In Re: MOVEit Customer Data Security Breach Litigation – as the lawsuits had overlapping claims. The lawsuits alleged that Nuance Communications was negligent by failing to implement appropriate safeguards to ensure all data within the MOVEit system was protected against unauthorized access.

Nuance denies liability for all claims and maintains that there was no wrongdoing, has not violated anyone’s privacy, nor breached any contract; however, it chose to settle the litigation. Under the terms of the settlement, Nuance has agreed to create an $8.5 million settlement fund to cover attorneys’ fees (up to $2,833,333.33), attorneys’ expenses, settlement administration and notice costs ($550,000), and class representative awards ($2,500 per named plaintiff). After those costs have been deducted from the settlement, the remainder will be used to pay for benefits to class members.

Under the terms of the settlement, class members may submit a claim for reimbursement of out-of-pocket expenses and losses linked to the data breach. Claims may be submitted for ordinary losses up to a maximum of $2,500 per class member, and up to $10,000 for reimbursement of extraordinary losses. Claims for losses can include up to 4 hours of lost time at $25 per hour.

Alternatively, class members may submit a claim for a cash payment, which is expected to be appropriately $100 per class member, although it is subject to a pro rata adjustment depending on the number of claims received. All class members are entitled to claim 2 years of credit monitoring and identity theft protection, and insurance services.

The Honorable Allision D. Burroughs of the U.S. District Court for the District of Massachusetts has recently given preliminary approval of the settlement, and the final approval hearing is scheduled for March 18, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 24, 2025, and the deadline for submitting claims is 30 days later.  More than 100 other lawsuits filed over the MOVEit data breach are pending. Some of the other affected companies have already announced settlements.

The post Nuance Communications Settles MOVEit Lawsuit for $8.5 Million appeared first on The HIPAA Journal.

Heartland Alliance Agrees to Data Breach Settlement

A Chicago anti-poverty organization and associated companies have agreed to a $300,000 settlement to resolve a class action lawsuit filed in response to a 2022 data breach. On or around December 15, 2022, Heartland Alliance disclosed a data security incident and mailed notification letters on or around December 21, 2022. An unauthorized third party had access to its network, where files containing sensitive data were stored. Those files contained names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, and medical/health information. While the data breach was announced in December 2022, the hackers gained access to the network on January 26, 2022. Heartland Alliance reported the data breach to the HHS’ Office for Civil Rights as involving the protected health information of 46,694 individuals.

A lawsuit was filed against the several Heartland entities – Wittmeyer et al. v. Heartland Alliance for Human Needs & Human Rights, Heartland Alliance Health, Heartland Alliance International, LLC, Heartland Housing, Inc., and Heartland Human Care Services, Inc. – in the Circuit Court for Lake County, Illinois, County Department, Chancery Division over the data breach. The plaintiffs alleged that the defendants were negligent due to failing to implement reasonable security measures pursuant to HIPAA, the FTC Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act.

The lawsuit also asserted claims of negligence per se, related to the lack of encryption or equivalent safeguards as required by HIPAA, breach of contract, breach of implied contract, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. The defendants deny all claims and contentions in the litigation and maintain there was no wrongdoing; however, a settlement was agreed after considering the costs, expenses, distraction, and risks associated with continuing with the litigation.

Under the terms of the settlement, class members may claim compensation for documented, unreimbursed losses of up to $6,000. That includes up to $1,000 for ordinary losses and up to $5,000 for extraordinary losses due to identity theft and fraud. Claims may also be submitted for up to three hours of lost time at $22.50 per hour as compensation for time spent resolving issues related to the data breach. The settlement also includes two years of three-bureau credit monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for November 19, 2025. Individuals wishing to object to or exclude themselves from the settlement must do so by September 30, 2025, and claims for compensation, lost time, and credit monitoring services must be submitted by October 30, 2025. Further information can be found on the settlement website: https://heartlanddatasettlement.com/

The post Heartland Alliance Agrees to Data Breach Settlement appeared first on The HIPAA Journal.

Cencora & The Lash Group Settle Data Breach Litigation for $40 Million

Cencora & The Lash Group have agreed to pay $40 million to settle class action data breach litigation over a February 2024 data breach that affected more than 1.43 million individuals.

Cencora, Inc., formerly AmerisourceBergen, is an American drug wholesale company and a contract research organization, and The Lash Group is a pharmaceutical solutions organization. Cencora disclosed the data breach in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), stating that on February 21, 2024, the company learned that data had been exfiltrated from its information systems.

On July 31, 2024, an updated SEC filing confirmed that more data had been stolen than initially thought. At least 27 pharmaceutical companies were affected, and the stolen personal and protected health information included names, addresses, dates of birth, Social Security Numbers, health and insurance information, financial information, transactional information, consumer profile information, racial/ethnic identity, political opinions, sexual orientation/identity, criminal history, IP addresses, other electronic identifiers, biometric information, genetic information, trade union membership information, and driver’s license and passport information.

Since the breach has been reported separately by several different entities, the total number of affected individuals is not known. TechCrunch tracked breach reports submitted to state Attorneys General and reports that at least 1.43 million individuals have been notified that their data was compromised in the February security incident. Only a few states publish breach report data that includes the number of affected individuals, so the total is likely to be significantly higher than 1.43 million.

Several class action lawsuits were filed against Cencora, the Lash Group, and the affected pharmaceutical firms (see the list below). The lawsuits were consolidated in a single action – Anaya et Al. v. Cencora, Inc., et al. – in the U.S District Court for the Eastern District of Pennsylvania. The defendants were alleged to have been negligent by failing to implement reasonable and appropriate safeguards to protect sensitive data, and as a result of that negligence, sensitive data was stolen.

The defendants chose to settle the lawsuit with no admission of wrongdoing or liability and will establish a $40 million settlement fund to cover attorneys’ fees (up to $13,333,333.33), attorneys’ expenses (up to $300,000), service awards to the 28 class representatives (total $42,000), and settlement administration costs (yet to be determined).

The remainder of the settlement fund will be used to pay benefits to class members. Class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach, which were incurred on or after September 1, 2023. Claims have been capped at $5,000 per class member, and the total loss payments are capped at $5,000,000. If that total is exceeded, claims will be paid pro rata. Alternatively, class members may claim a cash fund payment, the value of which will depend on the number of valid claims received.

The dates for exclusion from and objection to the settlement will be 150 days from the date the settlement receives preliminary approval from the court. The deadline for submitting a claim will be 180 days from the date of preliminary approval, and the final approval hearing will be scheduled for 230 days after the preliminary approval date. Claims will be paid between 306 and 311 days after the preliminary approval date. Further information can be found on the settlement website, which is not yet live – cencoraincidentsettlement.com

August 2, 2024: Cencora: Additional Data Exfiltrated in February 2024 Cyberattack

On July 31, 2024, in an updated filing with the Securities and Exchange Commission (SEC), the pharmaceutical firm Cencora explained that more data was exfiltrated from its network in its February 2024 cyberattack than was initially thought, including personally identifiable information (PII) and protected health information (PHI). The majority of the additional data was maintained by one of its subsidiaries that provides patient support services.

The review of the exfiltrated data is still ongoing, and notifications will be issued to the affected individuals in due course. Cencora did not state how many individuals have been affected, the name of the subsidiary company, or the types of data that were compromised in the incident.

Three HIPAA breach reports have previously been filed with the HHS Office for Civil Rights as a result of the Cencora cyberattack, two by AmerisourceBergen Specialty Group which affected 252,214 individuals and 3,102 individuals, and one by The Lash Group, which affected 15,196 individuals. Many of the affected companies have also filed breach reports with state attorneys general, as detailed in previous reporting by the HIPAA Journal (see below).

While data has been stolen, Cencora is unaware of any actual or attempted misuse of the affected data and does not believe any of the stolen data has been published online. Cencora believes the incident has been contained; however, the remediation efforts and file review are ongoing. Cencora has engaged cybersecurity experts to assist with reinforcing cybersecurity measures and strengthening cyber threat monitoring.

May 27, 2024: 2 Dozen Pharmaceutical Companies Affected by Cencora Cyberattack

Cencora, Inc. (formerly AmerisourceBergen), and its Lash Group affiliate have been affected by a cyberattack. Cencora announced the attack in a February 2024 filing with the Securities and Exchange Commission (SEC); however, at that point, the extent of the data breach had yet to be determined, although Cencora did confirm in the SEC filing that data was exfiltrated in the attack.

Cencora is a Conshohocken, PA-based company that partners with pharmaceutical firms, healthcare providers, and pharmacies and offers drug distribution, patient support and services, business analytics and technology, and other services. Around 20% of pharmaceutical products sold and distributed in the United States are handled by Cencora.

Last week, clients of Cencora and The Lash Group started notifying state Attorneys General about the data breach. The total number of affected clients has not yet been confirmed, but the breach is known to have affected at least 27 pharmaceutical and biotechnology companies and involved the theft of the personal data of hundreds of thousands of individuals. Based on the notifications sent to state Attorneys General so far, the following pharmaceutical and biotechnology companies have been affected:

  • Abbot
  • AbbVie Inc.
  • Acadia Pharmaceuticals Inc.
  • Acrotech Biopharma Inc.
  • Amgen Inc.
  • Bausch Health Companies Inc.
  • Bayer Corporation
  • Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
  • CareDx, Inc
  • Dendreon Pharmaceuticals LLC
  • Endo Pharmaceuticals Inc.
  • Genentech, Inc.
  • GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
  • Heron Therapeutics, Inc.
  • Incyte Corporation
  • Johnson & Johnson Services, Inc.& Johnson & Johnson Patient Assistance Foundation, Inc.
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
  • Novartis Pharmaceuticals Corporation
  • Otsuka America Pharmaceutical, Inc.
  • Pfizer Inc.
  • Pharming Healthcare, Inc.
  • Rayner Surgical Inc.
  • Regeneron Pharmaceuticals, Inc
  • Sandoz Inc.
  • Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
  • Takeda Pharmaceuticals U.S.A., Inc.
  • Tolmar

While State Attorneys general often publish notices of data breaches, they do not always state how many individuals have been affected, so the scale of the breach is unknown at this stage. Cencora detected the cyberattack on February 21, 2024, and took immediate action to contain the attack and prevent further unauthorized access. The forensic investigation confirmed that a threat actor had exfiltrated data from its systems, including patient data provided by its clients for its patient support programs. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. AmerisourceBergen Specialty Group has filed two separate breach reports with the Office for Civil Rights affecting 252,214 and 3,102 patients. The Lash Group has reported the breach to OCR separately as affecting 15,003 individuals

On April 10, 2024, Cencora confirmed that the stolen data included first names, last names, addresses, dates of birth, health diagnoses, and/or medications and prescriptions. Cencora’s investigation found no connection with other major healthcare cyberattacks such as the attacks on Change Healthcare and Ascension; and at the time of issuing notifications, Cencora/LashGroup said they were unaware of any actual or attempted misuse of the stolen data and had not detected any public disclosure of the stolen data. While data misuse has not been identified, the affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost. Steps have also been taken to harden defenses to prevent similar security breaches in the future. At the time of publication, no cybercriminal group appears to have claimed responsibility for the attack.

The post Cencora & The Lash Group Settle Data Breach Litigation for $40 Million appeared first on The HIPAA Journal.

Family Health Center; NorthCare Settle Data Breach Lawsuits

Settlements have received preliminary approval from the courts to resolve class action data breach litigation against Family Health Center in Michigan and NorthCare in Oklahoma.

Family Health Center Class Action Data Breach Settlement

Family Health Center, a Michigan healthcare provider with three locations in Kalamazoo, has agreed to settle class action data breach litigation stemming from a January 25, 2024, cyberattack that exposed the personal and protected health information of up to 34,926 individuals. The ransomware attack prevented access to certain systems, and the forensic investigation confirmed unauthorized access to names, addresses, health insurance information, Social Security numbers, and medical information. The affected individuals were notified about the data breach on March 24, 2024.

Two lawsuits were filed in response to the data breach – Donald Vickery, et al. v. Family Health Center, Inc., and Janet Walker v. Family Health Center, Inc. – in the Ninth Judicial Circuit in and for Kalamazoo County, Michigan. The two lawsuits had overlapping claims and were consolidated on October 16, 2024. The consolidated lawsuit alleged negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Michigan Data Breach Notification Act and the Michigan Consumer Protection Act.

The parties mediated on January 15, 2024, and reached an agreement in principle to settle the litigation, with no admission of wrongdoing or liability. All parties agreed to the settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to business operations associated with further litigation. Under the terms of the settlement, the defendants will establish a settlement fund of up to $850,000 to cover attorneys’ fees (up to $283,305), attorneys’ expenses (yet to be determined), service awards to the class representatives ($1,500 for each of the six named plaintiffs), settlement administration costs (up to $75,000), credit monitoring costs (yet to be determined) and payments to class members.

Class members may claim one of two cash payments. Cash Payment A can be claimed as reimbursement for documented, unreimbursed out-of-pocket losses incurred as a result of the data breach up to a maximum of $5,000 per class member. Alternatively, a claim can be submitted for Cash Payment B, which is a flat cash payment of $50.00. In addition to either of the cash payments, class members may claim two years of credit monitoring, dark web monitoring, and managed identity recovery services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for October 17, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by September 8, 2025, and claims must be submitted by October 8, 2025. Further information is available on the settlement website: https://www.fhcdatasettlement.com/

NorthCare Class Action Data Breach Settlement

NorthCare, an Oklahoma City-based mental health clinic, has agreed to settle a class action lawsuit stemming from a June 1, 2021, ransomware attack that involved unauthorized access to the protected health information of up to 128,556 individuals. A ransomware group first gained access to its network on or around May 29, 2021, and potentially viewed or obtained information such as names, addresses, dates of birth, medical diagnoses, and Social Security numbers.

A lawsuit – Ana Chavez Maendele, et al. v. North Oklahoma County Mental Health Center, d/b/a NorthCare – was filed in the District Court of Oklahoma County, Oklahoma, alleging NorthCare was negligent by failing to implement reasonable and appropriate safeguards to prevent unauthorized access to its network. NorthCare maintains there was no wrongdoing and no liability, and said it was prepared to vigorously defend the lawsuit; however, a settlement has been agreed to avoid the burden, expense, risk, and uncertainty of continuing to litigate.

Under the terms of the settlement, NorthCare has agreed to provide benefits to class members. Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses and financial losses fairly traceable to the data breach up to a maximum of $2,000 per class member. In addition, a claim may be submitted for reimbursement of time spent remedying the effects of the data breach up to a maximum of $100 (5 x hours at $20 per hour).

Alternatively, a cash payment of $125 can be claimed by individuals who do not claim reimbursement of losses and/or reimbursement of lost time. All class members can claim three years of single-bureau credit monitoring services. Claims and cash payments will be paid after all costs and expenses have been deducted from the settlement fund. Attorneys’ fees will be up to $250,000, and class representative awards will be $2,000 per named plaintiff.

The deadline for exclusion from and objection to the settlement is September 12, 2025. Claims must be submitted by October 11, 2025, and the final fairness hearing has been scheduled for December 15, 2025.

The post Family Health Center; NorthCare Settle Data Breach Lawsuits appeared first on The HIPAA Journal.

Boston Children’s Health Physicians Pays $5.15M to Settle Data Breach Lawsuit

Valhalla, NY-based Boston Children’s Health Physicians (BCHP) and ATSG Inc. have agreed to pay $5,150,000 to settle a class action lawsuit stemming from a September 2024 cyberattack and data breach that affected approximately 918,000 individuals.

BCHP is a multi-specialty pediatric group serving newborns and children in New York and Connecticut. On September 6, 2024, BCHP learned that a hacking group had gained access to systems of its managed services provider (ATSG Inc. – now XTIUM Inc.), and on September 10, 2024, the hacking group abused the IT vendor’s access to breach its own systems.

The Bianlian hacking group claimed responsibility for the attack and gained access to names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and limited treatment information. The breach was reported to the HHS as involving the protected health information of 909,469 patients, and employee data was also compromised, with approximately 918,000 individuals in total affected by the breach.

Five lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Noni Wahab, et al. v. Boston Children’s Health Physicians, LLP and ATSG Inc.– in the Supreme Court of the State of New York, County of Westchester. The consolidated class action complaint alleged negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and a violation of New York General Business Law.

The defendants maintain there was no wrongdoing and no liability; however, they chose to settle the lawsuit to avoid the litigation costs, expenses, distractions, burden, and disruption to business operations associated with continuing with the litigation. Under the terms of the settlement, the defendants will establish a $5,150,000 settlement fund to cover attorneys’ fees (up to $1,716,667), attorneys’ expenses (yet to be determined), service awards to the class representatives ($2,500 for each of the named plaintiffs), credit monitoring costs (yet to be determined), settlement administration costs (yet to be determined), and payments to class members.

Two cash payments are available. Class members may submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid after all costs and claims have been paid. The cash payment is expected to be $100, but may be increased or decreased depending on the number of claims received.

In addition to a cash payment, class members may claim two years of Cyex Medical Shield Medical Data Monitoring, which includes medical identity monitoring, real-time alerts, and a $1 million identity theft insurance policy. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 10, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by November 10, 2025, and claims must be submitted by November 25, 2025. Further information is available on the settlement website: https://bchpsettlement.com/

The post Boston Children’s Health Physicians Pays $5.15M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.