A settlement has been reached to resolve class action data breach litigation against Excelsior Orthopaedics and Buffalo Surgery Center. The lawsuit was filed in response to a 2024 data breach that affected hundreds of thousands of patients. On or around June 23, 2024, Amherst, New York-based Excelsior Orthopaedics identified suspicious network activity, and its forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The data breach also affected Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center.

Excelsior Orthopaedics reported the data breach to the HHS’ Office for Civil Rights as affecting 394,752 individuals, and Buffalo Surgery Center reported the breach as affecting 64,000 of its patients. The hackers obtained names, demographic information, driver’s license numbers, Social Security numbers, medical information, health insurance information, and financial information. The affected individuals were notified on December 31, 2024.

Multiple class action lawsuits were filed against Excelsior Orthopaedics and Buffalo Surgery Center over the data breach. The lawsuits were consolidated – Szucs et al. v. Excelsior Orthopaedics, LLP et al. – in the Supreme Court of the State of New York, County of Erie. The consolidated lawsuit alleged that the plaintiffs and class members suffered multiple injuries as a result of the data breach, and that those injuries were caused as a result of the “defendants’ failures to properly secure, safeguard, encrypt, and/or timely and adequately destroy Plaintiffs’ and Class Members’ sensitive personal identifiable and health information.”

The lawsuit alleged that the defendants failed to comply with industry standards for cybersecurity, FTC guidelines, and their obligations under HIPAA. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of the New York Deceptive Acts and Practices Act.

The defendants deny all claims and contentions in the lawsuit and deny any wrongdoing or liability; however, the defendants and the plaintiffs agreed that a settlement was the best outcome to avoid the costs of protracted litigation and the uncertainty of trial. Under the terms of the settlement, the defendants agreed to pay $2,400,000 to settle the lawsuit, from which attorneys’ fees and expenses, notification and settlement costs, and service awards for the 9 named plaintiffs will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.

Those benefits include two years of three-bureau credit monitoring services, the code for which will be automatically sent to the class members, without having to submit a claim. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, if a claim for reimbursement of losses is not submitted, class members may claim a cash payment. The cash payments will be paid pro rata, and the value will depend on the remaining settlement funds. The deadline for objection to the settlement and exclusion is May 17, 2026. Claims must be submitted by June 11, 2026, and the final fairness hearing has been scheduled for July 8, 2026.

The post Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Balance Autism has agreed to settle a class action lawsuit stemming from a security incident that exposed patient information. Altoona, Iowa-based Balance Autism identified a cybersecurity incident on or around March 17, 2025, that resulted in a data breach. Hackers had access to its network from March 11, 2025, to March 17, 2025, and obtained access to data such as names, dates of birth, Social Security numbers, health insurance information, and Medicaid numbers. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,281 individuals.

A class action lawsuit – Bennett v. Balance Autism – was filed in the Iowa District Court for Polk County by plaintiff Andrea Bennett, individually and on behalf of other similarly affected individuals. The lawsuit alleged that the cybersecurity incident resulted from the defendant’s negligence in failing to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and invasion of privacy. The defendant denies all claims and contentions in the lawsuit, including allegations of fault, wrongdoing, and liability; however, following mediation, a settlement was agreed that was acceptable to all parties to bring the litigation to an end.

Under the terms of the settlement, Balance Autism has agreed to pay for two years of credit monitoring and identity theft protection services and will accept claims from the affected individuals for up to $400 as reimbursement for out-of-pocket losses due to the data breach, and up to four hours of lost time at $20 per hour. Alternatively, instead of submitting a claim for reimbursement of losses and lost time, class members may submit a claim for a cash payment, which is estimated to be $50, but may be lower, depending on the number of claims received.

The deadline for exclusion and objection is May 1, 2026; the claims deadline is June 1, 2026; and the final approval hearing has been scheduled for June 12, 2026.

The post Balance Autism Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

In June of last year, we reported that a settlement had been agreed to resolve a class action lawsuit against Akeela, Inc., over a June 2023 cybersecurity incident and data breach. The case was stayed until July 18, 2025, and ahead of that date, the plaintiff was required to move for preliminary approval of class certification. Ahead of that date, the plaintiff, Jessica McRorie, dismissed her complaint without prejudice and immediately joined a separate complaint, Batin et al. v. Akeela, Inc., which made substantially similar allegations. The Batin case, filed in the Superior Court for Anchorage, Alaska, has recently been settled, and the settlement has received preliminary approval from the court.

The Batin case lists Jessica McRorie, Elynnie Batin, Jane Doe, Rocky Hawley, Andrew Metcalf, Thomas Maxim, and Kathleet Yarr (Personal Representative for the Estate of Ian Christiansen) as plaintiffs, who allege that their names, Social Security numbers, dates of birth, and medical diagnosis and treatment information were exposed to cybercriminals as a result of the negligence of Akeela. Akeela is alleged to have failed to adequately secure its network, which allowed cybercriminals to access patients’ sensitive data.

The defendant denies the claims and contentions in the lawsuit and disputes the facts, including that any damages have been suffered as a result of the data breach or that the action satisfies the requirements to be certified or tried as a class action. To avoid continuing with the litigation, which would likely be protracted and expensive, and to avoid the uncertainty of a trial, a settlement was agreed.

Compared to most settlement agreements to resolve class action data breach lawsuits, the benefits are limited. Class members may submit a claim for two years of credit monitoring and identity theft protection services, and a pro rata cash payment may be claimed. The cash payments will be paid from the remainder of a $50,000 settlement fund after credit monitoring costs have been deducted.  Attorneys’ fees and other costs and expenses will be paid separately by Akeela. The deadline for objection and exclusion is April 13, 2026; the claims deadline is May 25, 2026, and the final approval hearing has been scheduled for April 13, 2026.

June 4, 2025: Akeela Inc. Agrees to Settlement to Resolve Class Action Data Breach Litigation

Akeela Inc., an Anchorage, AK-based provider of mental health and substance use disorder treatment services, has agreed to settle a class action lawsuit filed in response to a 2023 data breach that exposed the protected health information of more than 284,000 individuals.

On or around June 22, 2023, Akeela experienced a disruption to its IT network. The forensic investigation confirmed there had been unauthorized network access and the exfiltration of administrative files containing patients’ protected health information. The stolen information included names, dates of birth, diagnosis and treatment information, and Social Security numbers.

In August 2024, a class lawsuit – Jessica McRorie v. Akeela Inc. – was filed in the United States District Court for the District of Alaska over the data breach. The lawsuit alleged Akeela was negligent by failing to secure and safeguard patients’ personally identifiable and protected health information and did not comply with industry-standard data security practices, even though there was a known risk that cybercriminals actively target healthcare providers. The lawsuit claims Akeela maintained sensitive data in a reckless manner, and as a direct consequence of its negligence, sensitive patient data is now in the hands of cybercriminals.

Further, when the breach was detected, Akeela delayed issuing notification letters to the affected individuals, who were informed that their sensitive data had been stolen more than a year after the data breach was identified. The lawsuit claims that the delay diminished the plaintiff and class members’ ability to timely and thoroughly mitigate and address the harms resulting from the data breach.

The lawsuit claims the plaintiff and class members have suffered concrete injuries as a result of the data breach, including financial costs from mitigating the risk and imminent threat of identity theft and fraud, lost of time and productivity, actual identity theft and fraud, deprivation of the value of their private information, loss of privacy, and emotional distress, anxiety, and stress. In addition to claims for negligence and negligence per se, the lawsuit asserted claims of breach of implied contract, breach of fiduciary duty, invasion of privacy, and unjust enrichment.

Akeela maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the healthcare provider agreed to settle the litigation to avoid further legal costs and the uncertainty of trial. Details of the settlement agreement have yet to be made public; however, the plaintiff and Akeela have reached an agreement in principle on an appropriate settlement. Notices for class members and the motion for preliminary approval from the court are now being prepared.

This post will be updated when the settlement receives preliminary approval from the court.

The post Akeela Data Breach Settlement Gets First Nod from the Court appeared first on The HIPAA Journal.

Essen Medical Associates has agreed to pay $4,000,000 to resolve class action litigation over a March 2023 cyberattack and data breach that affected 904,672 current and former patients. Essen Medical, a New York-based healthcare provider, experienced a cyberattack that saw hackers access its network between March 14, 2023, and March 22, 2023.

Data exposed in the incident included personally identifiable information and protected health information such as names, driver’s license numbers/state identification numbers, U.S. alien registration numbers, non-U.S. identification numbers, passport numbers, financial account information, dates of birth, Social Security numbers, medical treatment information, and health insurance information.

The data breach sparked several class action lawsuits, which were consolidated – Rivera, et al. v. Essen Medical Associates, P.C – in the Supreme Court of the State of New York, County of Bronx. The consolidated lawsuit alleged that the cyberattack was preventable and was the result of the defendant’s failure to implement adequate and appropriate cybersecurity procedures and protocols. The lawsuit claimed that the defendants recklessly maintained data on systems vulnerable to cyberattacks.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violation of the New York Deceptive Trade Practices Act. Essen Medical denies all charges of wrongdoing or liability, and all claims or contentions alleged against it. All parties agreed that a settlement was the best outcome, and class counsel and the six class representatives believe that the settlement is fair. The settlement has recently received preliminary approval from the court and awaits final approval.

Under the terms of the settlement, Essen Medical will establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and all costs related to the settlement. The attorneys’ fees will be no more than 33.33% of the settlement fund, and the service awards will be no more than $3,000 per class representative. The remainder of the fund will be used to pay for class member benefits.

Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition, a claim may be submitted for a cash payment of up to $100 per class member. The deadline for objecting to the settlement and exclusion is May 4, 2026. Claims must be submitted by June 1, 2026, and the final fairness hearing has been scheduled for July 7, 2026.

The post Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).

Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.

On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.

Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.

The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.

The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.

Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals (Cornerstone), has agreed to settle class action litigation stemming from a December 2023 cyberattack and data breach.

A threat actor gained access to the Cornerstone network on or around December 19, 2023, and potentially accessed and copied patient information. Data potentially compromised in the incident included names, dates of birth, Social Security numbers, federal or state ID numbers, financial account information, credit or debit card information, digital signatures, email addresses and passwords, usernames and passwords, passport numbers, medical/health information, health insurance information, and other protected health information. Initially, the data breach was reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals. The total was later updated to 484,957 individuals.

A lawsuit – Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals – was filed in the Court of the Western District of Kentucky, Louisville Division, in response to the data breach. The lawsuit alleged that the data breach was a direct result of the defendant’s failure to take necessary and appropriate steps to secure sensitive data on its network, and failed to issue timely notifications, which were mailed on or around July 1, 2024, more than 6 months after the incident occurred.

The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and declaratory relief. Cornerstone denies all claims of fault, wrongdoing, and liability, but agreed to a settlement to avoid further legal costs and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and is in the best interests of the class members.

Cornerstone has agreed to establish a $2,350,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and settlement fund taxes and tax expenses. The remainder of the fund will be used to pay for benefits to the class members. Individuals whose Social Security numbers were compromised in the incident may claim two years of three-bureau credit monitoring and identity theft protection services. They may also submit a claim for reimbursement of documented, unreimbursed extraordinary losses due to the data breach, up to a maximum of $10,000 per individual.

All class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach. Claims are capped at $2,500 per individual for ordinary losses. Class members who do not submit a claim for reimbursement of losses, either ordinary or extraordinary losses, may instead claim a pro rata cash payment, which will be paid once costs and claims have been paid. Individuals whose Social Security numbers were exposed will receive a cash payment equal to three times the amount paid to non-SSN subclass members. The data for objection and exclusion is April 8, 2026. The deadline for submitting a claim is May 8, 2026, and the final approval hearing has been scheduled for May 14, 2026.

The post $2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit appeared first on The HIPAA Journal.

A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.

Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.

Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.

Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.

In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.

If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.

The post Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records appeared first on The HIPAA Journal.

General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit over a 2024 data breach.

Suspicious activity was identified within its email environment on June 12, 2024. The forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024. Patient information exposed and potentially stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information. The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total was later updated to 167,387 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated – Newhart v. General Physician, P.C. – in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network. General Physician maintains that there was no wrongdoing and that there is no liability. All parties explored an early settlement and, following mediation, the material terms of a settlement were agreed. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for June 4, 2025.

Under the terms of the settlement, General Physician has agreed to establish a $2,500,000 settlement fund, which will be used to pay benefits to the class members after attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives have been deducted. While the OCR breach portal states that the protected health information of up to 167,387 individuals was compromised in the incident, the settlement class consists of approximately 490,210 individuals.

Class members are entitled to claim a two-year membership to a single-bureau credit monitoring and medical data monitoring service. In addition, they may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the pro rata cash payment will depend on the number of valid claims received. Based on the estimated response rate, the cash payments are expected to be approximately $60. The deadline for objecting to the settlement and opting out is April 27, 2026. Claims must be submitted by May 27, 2026.

The post General Physician Pays $2.5 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.