Class action lawsuits over data breaches at Centrelake Medical Group and Des Moines Orthopaedic Surgeons have been resolved with settlements.

Centrelake Medical Group Settlement

Centrelake Medical Group, the operator of 8 medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a 2019 cybersecurity incident that affected 197,661 patients. Centrelake Medical Group experienced a ransomware attack in February 2019. The hackers had access to its servers from January 9 to February 19, 2019, and potentially obtained information such as names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

A lawsuit was filed in response to the data breach – April Kay Moore, et al. v. Centrelake Medical Group, Inc. – in the Superior Court of California, County of Los Angeles Civil Division, which asserted claims of breach of express and/or implied contractual promise, breach of covenant of good faith and fair dealing, violation of Civil Code § 56, et seq., and violation of California Business and Professions Code § 17200, et seq.

Centrelake Medical Group denies all claims of liability and wrongdoing but determined that the litigation would likely be protracted and expensive, and agreed to a settlement. Centrelake Medical Group has agreed to pay $525,000 for attorneys’ fees and expenses, $2,500 for each of the class representatives, and will cover notice and settlement costs.

Class members are entitled to enroll in two years of free medical and credit monitoring services, and claims may be submitted for documented, unreimbursed losses due to the data breach. A cap of $500 has been placed on ordinary losses due to the data breach, and a cap of $3,500 has been placed on extraordinary losses. Individuals who were California residents at the time of the data breach may also claim an additional $50 cash payment. The deadline for submitting a claim is June 12, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

Des Moines Orthopaedic Surgeons Settlement

Des Moines Orthopaedic Surgeons in Iowa has agreed to settle class action litigation over a 2023 data breach. Des Moines Orthopaedic Surgeons experienced a data security incident in February 2023 that impacted its computer systems and resulted in the theft of the protected health information of 307,864 current and former patients. Data compromised in the incident included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information.

Three class action lawsuits were filed in response to the data breach, which were consolidated – Rogers, et al., v. Des Moines Orthopaedic Surgeons, P.C. – in the Iowa District Court for Dallas County. The plaintiffs alleged that the data breach was due to the failure to implement appropriate cybersecurity measures to protect patient data. Des Moines Orthopaedic Surgeons denies all claims of liability and wrongdoing; however, opted to settle the litigation to avoid the costs, expense, distraction, burden, and disruption to business operations from continuing with the litigation.

The settlement includes monetary relief for the class members, which has been capped at $1,000,000. Class members are entitled to claim three years of three-bureau credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of losses due to the data breach and compensation for lost time. A claim may be submitted for reimbursement of documented, unreimbursed ordinary out-of-pocket losses up to a maximum of $400 per class member, up to four hours of lost time at $25 an hour, and reimbursement of documented, unreimbursed extraordinary losses up to a maximum of $5,000 per class member.

If a claim for reimbursement of losses and lost time is not submitted, class members may claim an alternative cash payment. Those payments are $25 if their Social Security number was not compromised, and $100 if their Social Security number was compromised. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 2, 2026. Individuals wishing to object to the settlement or exclude themselves have until February 23, 2026, to do so.

The post Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons appeared first on The HIPAA Journal.

Emergency Medical Services Authority in Oklahoma and Compassion Health Care in North Carolina were sued over cyberattacks and data breaches. Settlements have now been agreed to resolve both class action lawsuits.

Emergency Medical Services Authority Data Breach Settlement

Emergency Medical Services Authority (EMSA), the largest provider of pre-hospital emergency medical care in the state of Oklahoma, has agreed to settle a class action lawsuit stemming from a cyberattack detected on February 13, 2024. EMSA determined that hackers accessed its network between February 10, 2024, and February 13, 2024, and acquired files containing patient and employee data. The data breach affected 611,743 individuals and included names, addresses, dates of birth, dates of service, and  Social Security numbers.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Oklahoma District Court of Oklahoma County – Wade Quick and Laura Lance v Emergency Medical Services Authority. EMSA denies all claims of liability, fault, and wrongdoing, and sought to have the lawsuit dismissed. The court sustained in part and denied in part the motion to dismiss, and the lawsuit proceeded to discovery. A second motion to dismiss was filed for lack of jurisdiction, and after the plaintiffs filed their response, all parties agreed to resolve the lawsuit with a settlement rather than continuing to litigate.

Under the terms of the settlement, EMSA will establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class members, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member.  A claim may also be submitted for compensation for up to four hours of lost time at $15 per hour. While documentation is not required for the lost time claim, class members must sign an attestation that includes a brief description of the lost time. Lost time payments are included in the £3,000 cap per class member.

Class members may also claim two years of single-bureau credit monitoring and identity theft protection services. The deadline for submitting a claim is March 5, 2026. The final fairness hearing has been scheduled for April 5, 2026.

Compassion Health Care Data Breach Settlement

The Yanceyville, North Carolina-based medical practice, Compassion Health Care, has agreed to pay up to $600,000 to settle a class action lawsuit over a breach of the protected health information of 23,600 individuals. A cybersecurity incident was identified on or around March 17, 2025, and the forensic investigation confirmed that an unauthorized third party hacked its systems, and potentially obtained protected health information such as names, addresses, phone numbers, date of births or ages, Social Security numbers, driver’s license numbers, health insurance information, claims information, and clinical/diagnostic information. The affected individuals were notified about the data breach on or around May 16, 2025.

The first class action lawsuit over the data breach was filed on May 23, 2025, followed by a further two lawsuits. An amended complaint was filed in the Caswell County Superior Court for the State of North Carolina on July 2, 2025, adding the additional plaintiffs – Allin v. Compassion Health Care. The lawsuit alleged that the cyberattack occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, breach of confidence, and unjust enrichment.

Shortly after the amended lawsuit was filed, the defendant provided the plaintiffs with informal discovery, including information about the cybersecurity measures implemented prior to the data breach. After arms-length discussions, the material terms of a settlement were agreed upon. The settlement has now been finalized, with no admission of liability or wrongdoing, and the settlement has received preliminary approval from the court. The $600,000 will be used to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach, or class members may claim an alternative cash payment of $40.

The deadline for submitting a claim differs based on CPT ID. Class members with a CPT ID under 20,000 have until February 23, 2026, to submit a claim. Class members with a CPT ID over 20,000 have until May 4, 2026, to submit a claim. The final fairness hearing has been scheduled for May 4, 2026.

The post Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation appeared first on The HIPAA Journal.

Pinehurst Radiology Associates has agreed to settle a class action lawsuit over a January 2025 data breach, and Tallahassee Memorial HealthCare has agreed to settle class action litigation over its use of pixels on its website.

Pinehurst Radiology Associates Settlement

Pinehurst Radiology Associates, a medical diagnostic imaging center in Pinehurst, North Carolina, has agreed to settle a class action lawsuit over a January 2025 security incident that affected 8,682 individuals. Pinehurst Radiology Associates identified a cybersecurity incident on January 20, 2025, and determined that patients’ protected health information had been exposed. Data exposed in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, treatment information, medical record numbers, health insurance information, and Medicare/Medicaid numbers. The affected patients were notified on or around May 22, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Superior Court of Moore County, North Carolina – McNeill, et al. v. Pinehurst Radiology Associates, PLLC. The plaintiffs alleged that the data breach resulted from negligence because reasonable and appropriate cybersecurity measures had not been implemented. Pinehurst Radiology Associates denies all claims of wrongdoing, fault, and liability.

All parties explored the possibility of an early settlement, and an agreement on the material terms was reached on September 30, 2025. The final terms of the settlement have been negotiated, and it has received preliminary approval from the court. Pinehurst Radiology Associates has agreed to pay for CyEx Medical Shield Complete medical data monitoring services for 12 months for all class members, which include a $1 million identity theft insurance policy. Claims may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $500 per class member. Losses must have been incurred between January 20, 2025, and April 9, 2026. The deadline for opting out and objection is March 7, 2026. Claims must be submitted by April 9, 2026, and the final fairness hearing has been scheduled for April 6, 2026.

Tallahassee Memorial HealthCare Settlement

Tallahassee Memorial HealthCare has agreed to pay benefits to current and former patients whose personal and protected health information may have been disclosed to third parties, such as Meta Platforms and Google Inc., due to pixels and other tracking and analytics tools on the Tallahassee Memorial HealthCare website.

According to the lawsuit, these tools collected data relating to website use, which may have included personal and protected health information depending on the user’s interactions with the website. The lawsuit claims that these disclosures occurred for marketing and advertising purposes, without the knowledge or consent of website users. The lawsuit claims that the disclosures violated the Florida Security of Communications Act and the Electronic Communications Privacy Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, unjust enrichment, and breach of confidence.

Tallahassee Memorial HealthCare denies all claims of wrongdoing and liability, and all material allegations in the lawsuit, but chose to settle the litigation to avoid the cost and uncertainty of a trial and related appeals. The plaintiffs believe all claims have merit but agreed that the settlement is fair and in the best interests of all class members. Under the terms of the settlement, class members can claim a 24-month membership to CyEx Financial Shield Complete, as well as a cash payment of $17. The final fairness hearing has been scheduled for March 2, 2026.

The post Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Settlements have received preliminary approval from the courts to resolve class action lawsuits against Northeast Rehabilitation Hospital Network, American Addiction Centers, and Midwest Physician Administrative Services (Duly Health and Care) over alleged impermissible disclosures of patients’ protected health information.

Northeast Rehabilitation Hospital Network Data Breach Settlement

Northeast Rehabilitation Hospital Network in New Hampshire has agreed to a settlement to resolve a class action data breach lawsuit stemming from a 2024 cyberattack by the Hunters International cyber threat group. The cyberattack was detected on or around May 22, 2024, and the lawsuit states that the private information of 148,515 individuals was compromised in the incident.

The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 136,724 individuals. Data compromised in the incident included names, medical histories, treatment information, patient account numbers, billing/claims information, and health insurance information. Patients were notified about the data breach on or around January 6, 2025.

The first lawsuit over the data breach was filed in January 2025, followed by a further three class action complaints. The lawsuits were consolidated – Minicucci et al. v. Northeast Rehabilitation Hospital Network – in the Rockingham County Superior Court in the State of New Hampshire.

Northeast Rehabilitation Hospital Network denies the claims in the lawsuit but chose to settle the litigation with no admission of liability or wrongdoing. Under the terms of the settlement, class members may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a one-time cash payment of $75.00. The deadline for objection, opting out, and submitting a claim is February 17, 2026. The final fairness hearing has been scheduled for March 2, 2026.

American Addiction Centers Data Breach Settlement

American Addiction Centers has agreed to settle a class action lawsuit over a September 26, 2024, data incident involving unauthorized access to the personal information of 423,065 individuals, including the protected health information of 410,747 current and former patients. Data exposed or stolen in the Rhysida ransomware attack included names, addresses, phone numbers, dates of birth, medical record numbers, other identifiers, Social Security numbers, and health insurance information.

Twelve class action lawsuits were filed in response to the data breach, which were consolidated in the United States District Court for the Middle District of Tennessee, as they had overlapping claims. The consolidated lawsuit In re American Addiction Centers, Inc. Data Breach Litigation – alleged that the ransomware attack and data breach occurred due to the failure of American Addiction Centers to implement reasonable and appropriate data security measures. American Addiction Centers denies all claims of wrongdoing, fault, and liability, but agreed to settle the litigation to avoid further legal costs, expenses, and the distraction, burden, and disruption to business operations from continuing with the litigation.

American Addiction Centers has agreed to establish a $2,750,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the twelve plaintiffs, and benefits for the class members. Class members may claim two years of credit monitoring services, reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and a pro rata cash payment, expected to be approximately $50 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection and opting out is March 6, 2026. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 20, 2026.

Midwest Physician Administrative Services (Duly Health and Care) Pixel Settlement

A settlement has been agreed to resolve a class action lawsuit against Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care, over its use of Meta Pixel tracking code on its website, dulyhealthandvcare.com. The plaintiffs alleged that the tracking code transmitted personal and protected health information to Meta Platforms without website users’ knowledge or consent.

The lawsuit – Mayer v. Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care – filed in the United States District Court, Northern District of Illinois alleged that Duly Health and Care encourages patients to use the website to book medical appointments, locate physicians and treatment facilities, communicate medical symptoms, search medical conditions and treatment options, and sign up for events and classes. A patient portal is also maintained for communicating with clinicians, accessing medical records, booking appointments, obtaining test results, and more.

While users of the website and patient portal believed that they were communicating only with Duly Health and Care, without their knowledge, data was being collected and transmitted to Meta Platforms. According to the lawsuit, “By installing the Meta Pixel, Defendant effectively planted a bug on Plaintiffs’ and Class Members’ web browsers and compelled them to unknowingly disclose their private, sensitive and confidential health-related communications with Defendant to Meta.”

The lawsuit asserted eight claims, one for violation of the federal Electronic Communications Privacy Act (ECPA), and seven claims under state law: violation of the Illinois Eavesdropping Statute; violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; violation of the Illinois Uniform Deceptive Trade Practices Act; breach of confidence; invasion of privacy—intrusion upon seclusion; breach of implied contract; and negligence. Duly Health and Care denies all wrongdoing and sought to have the lawsuit dismissed for failure to state a claim. The motion to dismiss was partially successful and resulted in six of the eight claims being dismissed; however, the lawsuit was allowed to proceed with the claims of negligence and violation of the ECPA.

A settlement was agreed upon following mediation and the commencement of discovery. Duly Health and Care has agreed to establish a settlement fund of $1,880,000, from which attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives will be deducted. The remainder of the settlement will be paid pro rata to individuals who submit a claim. Claims will be accepted from patients who logged into the authenticated portion of the website between July 24, 2020, and April 10, 2023. The deadline for opting out and objection is March 2, 2026. The deadline for filing a claim is March 2, 2026, and the final fairness hearing has been scheduled for April 7, 2026.

The post Three Healthcare Providers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Staten Island University Hospital (SIUH) in New York has agreed to settle a class action lawsuit over a 2024 data breach involving one of its business associates. The data breach occurred in January 2024 at The Medibase Group Inc., a vendor that provides healthcare solutions, technical assistance, and business office solutions. On or around May 8, 2024, The Medibase Group notified SIUH that an unauthorized third party had gained access to Medibase systems, which contained the protected health information of 35,106 individuals. Data compromised in the incident included names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters were mailed to the affected individuals on July 5, 2024.

A class action lawsuit was filed by plaintiffs Belle De Santiago and Elena Girenko over the data breach – Santiago et al. v. Staten Island University Hospital – in the Superior Court of Cherokee County for the State of Georgia. The lawsuit alleged the data breach was the result of the defendant’s failure to implement reasonable and appropriate security measures to protect sensitive patient data.

The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, and unjust enrichment. SIUH denies all claims of wrongdoing, fault, and liability; however, it agreed to a settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation. Class counsel and the lead plaintiffs believe the negotiated settlement is reasonable and fair.

Class members may submit a claim for two years of medical data monitoring services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for cash payments. A claim can be submitted for compensation for documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. A claim may also be submitted for a $35.00 flat cash payment. The deadline for exclusion and opting out is March 2, 2026. The deadline for submitting a claim is March 16, 2026, and the final fairness hearing has been scheduled for March 31, 2026.

The post Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach appeared first on The HIPAA Journal.

McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees.

McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024.

The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of health care, and payment for health care.

The first attack was detected on August 22, 2023, and notification letters were mailed to the affected individuals on November 9, 2023. At least eight class action lawsuits were filed in response to the first data breach, which were consolidated in the United States District Court for the Eastern District of Michigan. Following the 2024 ransomware attack and data breach, a further two class action lawsuits were filed. The lawsuits were consolidated in the Michigan 7^th Judicial Circuit Court for Genesee County – Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation.

The lawsuit alleged that McLaren Health Care had inadequate security measures, did not comply with industry standards for data security, FTC guidelines, or the HIPAA Rules, resulting in the first attack. Then, McLaren Health Care failed to learn from the ransomware attack and did not make the necessary security upgrades to prevent further incidents, resulting in a second ransomware attack.

The plaintiffs alleged that they suffered concrete injuries as a result of the attacks, including invasion of privacy, theft of their private information, lost or diminished value of their private information, lost time and opportunity costs, loss of benefit of the bargain, loss of employment opportunities, and a continued risk of their private information being misused, as it remains unencrypted and available for other parties to access via the dark web. The lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and unjust enrichment. McLaren Health Care disagrees with all claims and contentions in the lawsuit.

Following months of dialogue about a potential settlement, the plaintiffs issued a settlement demand, and an appropriate settlement was ultimately agreed upon following mediation. Under the terms of the settlement, class members may submit a claim for one year of single-bureau credit monitoring and identity theft protection services plus one or two cash payments. The first cash payment may be claimed for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. The losses must have been incurred on or after July 28, 2023, and be more likely than not traceable to either of the data breaches.

Regardless of whether a claim is submitted for reimbursement of losses, class members may submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees and expenses, settlement administration costs, service awards for the lead plaintiffs, credit monitoring costs, and claims for reimbursement of losses have been deducted. McLaren Health Care has also agreed to take certain remedial measures and enhance security.

The deadline for exclusion and objection is March 16, 2026. The deadline for submitting a claim is April 29, 2026, and the final approval hearing has been scheduled for April 21, 2026.

The post McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks appeared first on The HIPAA Journal.

Two healthcare providers have agreed to settle class action lawsuits over their use of website tracking technologies. Website tracking technologies, such as pixels, can collect and transmit data about website users, which can include personally identifiable information and protected health information if installed on a healthcare provider’s website or patient portal. These tools have been found on the websites of many hospitals, and many lawsuits have been filed by individuals for privacy violations. Two such lawsuits against Legacy Health and Garnet Health have recently been settled, with no admission of liability, fault, or wrongdoing by the healthcare providers.

Legacy Health

Legacy Health, a nonprofit health system with seven hospitals and more than 90 clinics in Oregon and Vancouver, Washington, was sued over the alleged use of third-party tracking tools on its websites without the knowledge or consent of website users. According to the lawsuit, the tools transmitted patients’ personally identifiable information to third parties such as Meta Platforms Inc. (Facebook) and Alphabet Inc. (Google).

The lawsuit – Katherine Layman v. Legacy Health – asserted claims of negligence, breach of confidence, invasion of privacy, breach of implied contract, unjust enrichment, and violation of the Electronic Communications Privacy Act. All parties agreed to settle the litigation to avoid the cost and time associated with continuing with the litigation, and the uncertainty of trial.

Under the terms of the settlement, Legacy Health has agreed to pay up to $2,200,000 to cover attorneys’ fees and expenses, settlement administration costs, and an incentive award of $2,500 to the class representative. Class members are entitled to a one-year membership to CyEx’s Medical Shield privacy protection solution, and may submit a claim for a cash payment of $15.00. Individuals wishing to object to the settlement or exclude themselves must do so by March 16, 2026. Claims for cash payments must be submitted by March 16, 2026, and the final approval hearing has been scheduled for April 16, 2026.

Garnet Health

Garnet Health, a Middletown, New York-based three-campus health system with nine urgent care facilities serving residents of Orange and Sullivan Counties in New York, was alleged to have added tracking tools to its website and MyChart patient portal, which resulted in disclosures of individuals’ personally identifiable information and protected health information to Meta Platforms Inc. (Facebook) and Google Inc. without users’ knowledge or consent. Information allegedly disclosed included health conditions, searches for medical treatment, and other sensitive information.

Lawsuits were filed by Dolores Gay and Corinne Jacob over the alleged disclosures, which were consolidated as they had overlapping claims – Gay et al. v. Garnet Health. After a year of hard-fought litigation, all parties attended mediation and agreed to a settlement to resolve the lawsuit. Under the settlement, Garnet Health has agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. All class members are eligible to enroll in Dashlane Premium, a privacy protection product, for 12 months. In addition, class members may claim a one-time cash payment of $19.50. Individuals wishing to object to the settlement or exclude themselves must do so by March 17, 2026. Claims for cash payments must be submitted by April 16, 2026, and the final approval hearing has been scheduled for April 13, 2026.

The post Legacy Health & Garnet Health Settle Class Action Lawsuits Over Website Tracking Tools appeared first on The HIPAA Journal.

Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.

On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.

Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.

All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.

Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.