Pinehurst Radiology Associates has agreed to settle a class action lawsuit over a January 2025 data breach, and Tallahassee Memorial HealthCare has agreed to settle class action litigation over its use of pixels on its website.

Pinehurst Radiology Associates Settlement

Pinehurst Radiology Associates, a medical diagnostic imaging center in Pinehurst, North Carolina, has agreed to settle a class action lawsuit over a January 2025 security incident that affected 8,682 individuals. Pinehurst Radiology Associates identified a cybersecurity incident on January 20, 2025, and determined that patients’ protected health information had been exposed. Data exposed in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, treatment information, medical record numbers, health insurance information, and Medicare/Medicaid numbers. The affected patients were notified on or around May 22, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Superior Court of Moore County, North Carolina – McNeill, et al. v. Pinehurst Radiology Associates, PLLC. The plaintiffs alleged that the data breach resulted from negligence because reasonable and appropriate cybersecurity measures had not been implemented. Pinehurst Radiology Associates denies all claims of wrongdoing, fault, and liability.

All parties explored the possibility of an early settlement, and an agreement on the material terms was reached on September 30, 2025. The final terms of the settlement have been negotiated, and it has received preliminary approval from the court. Pinehurst Radiology Associates has agreed to pay for CyEx Medical Shield Complete medical data monitoring services for 12 months for all class members, which include a $1 million identity theft insurance policy. Claims may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $500 per class member. Losses must have been incurred between January 20, 2025, and April 9, 2026. The deadline for opting out and objection is March 7, 2026. Claims must be submitted by April 9, 2026, and the final fairness hearing has been scheduled for April 6, 2026.

Tallahassee Memorial HealthCare Settlement

Tallahassee Memorial HealthCare has agreed to pay benefits to current and former patients whose personal and protected health information may have been disclosed to third parties, such as Meta Platforms and Google Inc., due to pixels and other tracking and analytics tools on the Tallahassee Memorial HealthCare website.

According to the lawsuit, these tools collected data relating to website use, which may have included personal and protected health information depending on the user’s interactions with the website. The lawsuit claims that these disclosures occurred for marketing and advertising purposes, without the knowledge or consent of website users. The lawsuit claims that the disclosures violated the Florida Security of Communications Act and the Electronic Communications Privacy Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, unjust enrichment, and breach of confidence.

Tallahassee Memorial HealthCare denies all claims of wrongdoing and liability, and all material allegations in the lawsuit, but chose to settle the litigation to avoid the cost and uncertainty of a trial and related appeals. The plaintiffs believe all claims have merit but agreed that the settlement is fair and in the best interests of all class members. Under the terms of the settlement, class members can claim a 24-month membership to CyEx Financial Shield Complete, as well as a cash payment of $17. The final fairness hearing has been scheduled for March 2, 2026.

The post Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Settlements have received preliminary approval from the courts to resolve class action lawsuits against Northeast Rehabilitation Hospital Network, American Addiction Centers, and Midwest Physician Administrative Services (Duly Health and Care) over alleged impermissible disclosures of patients’ protected health information.

Northeast Rehabilitation Hospital Network Data Breach Settlement

Northeast Rehabilitation Hospital Network in New Hampshire has agreed to a settlement to resolve a class action data breach lawsuit stemming from a 2024 cyberattack by the Hunters International cyber threat group. The cyberattack was detected on or around May 22, 2024, and the lawsuit states that the private information of 148,515 individuals was compromised in the incident.

The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 136,724 individuals. Data compromised in the incident included names, medical histories, treatment information, patient account numbers, billing/claims information, and health insurance information. Patients were notified about the data breach on or around January 6, 2025.

The first lawsuit over the data breach was filed in January 2025, followed by a further three class action complaints. The lawsuits were consolidated – Minicucci et al. v. Northeast Rehabilitation Hospital Network – in the Rockingham County Superior Court in the State of New Hampshire.

Northeast Rehabilitation Hospital Network denies the claims in the lawsuit but chose to settle the litigation with no admission of liability or wrongdoing. Under the terms of the settlement, class members may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a one-time cash payment of $75.00. The deadline for objection, opting out, and submitting a claim is February 17, 2026. The final fairness hearing has been scheduled for March 2, 2026.

American Addiction Centers Data Breach Settlement

American Addiction Centers has agreed to settle a class action lawsuit over a September 26, 2024, data incident involving unauthorized access to the personal information of 423,065 individuals, including the protected health information of 410,747 current and former patients. Data exposed or stolen in the Rhysida ransomware attack included names, addresses, phone numbers, dates of birth, medical record numbers, other identifiers, Social Security numbers, and health insurance information.

Twelve class action lawsuits were filed in response to the data breach, which were consolidated in the United States District Court for the Middle District of Tennessee, as they had overlapping claims. The consolidated lawsuit In re American Addiction Centers, Inc. Data Breach Litigation – alleged that the ransomware attack and data breach occurred due to the failure of American Addiction Centers to implement reasonable and appropriate data security measures. American Addiction Centers denies all claims of wrongdoing, fault, and liability, but agreed to settle the litigation to avoid further legal costs, expenses, and the distraction, burden, and disruption to business operations from continuing with the litigation.

American Addiction Centers has agreed to establish a $2,750,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the twelve plaintiffs, and benefits for the class members. Class members may claim two years of credit monitoring services, reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and a pro rata cash payment, expected to be approximately $50 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection and opting out is March 6, 2026. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 20, 2026.

Midwest Physician Administrative Services (Duly Health and Care) Pixel Settlement

A settlement has been agreed to resolve a class action lawsuit against Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care, over its use of Meta Pixel tracking code on its website, dulyhealthandvcare.com. The plaintiffs alleged that the tracking code transmitted personal and protected health information to Meta Platforms without website users’ knowledge or consent.

The lawsuit – Mayer v. Midwest Physician Administrative Services, LLC d/b/a Duly Health and Care – filed in the United States District Court, Northern District of Illinois alleged that Duly Health and Care encourages patients to use the website to book medical appointments, locate physicians and treatment facilities, communicate medical symptoms, search medical conditions and treatment options, and sign up for events and classes. A patient portal is also maintained for communicating with clinicians, accessing medical records, booking appointments, obtaining test results, and more.

While users of the website and patient portal believed that they were communicating only with Duly Health and Care, without their knowledge, data was being collected and transmitted to Meta Platforms. According to the lawsuit, “By installing the Meta Pixel, Defendant effectively planted a bug on Plaintiffs’ and Class Members’ web browsers and compelled them to unknowingly disclose their private, sensitive and confidential health-related communications with Defendant to Meta.”

The lawsuit asserted eight claims, one for violation of the federal Electronic Communications Privacy Act (ECPA), and seven claims under state law: violation of the Illinois Eavesdropping Statute; violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; violation of the Illinois Uniform Deceptive Trade Practices Act; breach of confidence; invasion of privacy—intrusion upon seclusion; breach of implied contract; and negligence. Duly Health and Care denies all wrongdoing and sought to have the lawsuit dismissed for failure to state a claim. The motion to dismiss was partially successful and resulted in six of the eight claims being dismissed; however, the lawsuit was allowed to proceed with the claims of negligence and violation of the ECPA.

A settlement was agreed upon following mediation and the commencement of discovery. Duly Health and Care has agreed to establish a settlement fund of $1,880,000, from which attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives will be deducted. The remainder of the settlement will be paid pro rata to individuals who submit a claim. Claims will be accepted from patients who logged into the authenticated portion of the website between July 24, 2020, and April 10, 2023. The deadline for opting out and objection is March 2, 2026. The deadline for filing a claim is March 2, 2026, and the final fairness hearing has been scheduled for April 7, 2026.

The post Three Healthcare Providers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Staten Island University Hospital (SIUH) in New York has agreed to settle a class action lawsuit over a 2024 data breach involving one of its business associates. The data breach occurred in January 2024 at The Medibase Group Inc., a vendor that provides healthcare solutions, technical assistance, and business office solutions. On or around May 8, 2024, The Medibase Group notified SIUH that an unauthorized third party had gained access to Medibase systems, which contained the protected health information of 35,106 individuals. Data compromised in the incident included names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters were mailed to the affected individuals on July 5, 2024.

A class action lawsuit was filed by plaintiffs Belle De Santiago and Elena Girenko over the data breach – Santiago et al. v. Staten Island University Hospital – in the Superior Court of Cherokee County for the State of Georgia. The lawsuit alleged the data breach was the result of the defendant’s failure to implement reasonable and appropriate security measures to protect sensitive patient data.

The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, and unjust enrichment. SIUH denies all claims of wrongdoing, fault, and liability; however, it agreed to a settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation. Class counsel and the lead plaintiffs believe the negotiated settlement is reasonable and fair.

Class members may submit a claim for two years of medical data monitoring services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for cash payments. A claim can be submitted for compensation for documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. A claim may also be submitted for a $35.00 flat cash payment. The deadline for exclusion and opting out is March 2, 2026. The deadline for submitting a claim is March 16, 2026, and the final fairness hearing has been scheduled for March 31, 2026.

The post Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach appeared first on The HIPAA Journal.

McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees.

McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024.

The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of health care, and payment for health care.

The first attack was detected on August 22, 2023, and notification letters were mailed to the affected individuals on November 9, 2023. At least eight class action lawsuits were filed in response to the first data breach, which were consolidated in the United States District Court for the Eastern District of Michigan. Following the 2024 ransomware attack and data breach, a further two class action lawsuits were filed. The lawsuits were consolidated in the Michigan 7^th Judicial Circuit Court for Genesee County – Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation.

The lawsuit alleged that McLaren Health Care had inadequate security measures, did not comply with industry standards for data security, FTC guidelines, or the HIPAA Rules, resulting in the first attack. Then, McLaren Health Care failed to learn from the ransomware attack and did not make the necessary security upgrades to prevent further incidents, resulting in a second ransomware attack.

The plaintiffs alleged that they suffered concrete injuries as a result of the attacks, including invasion of privacy, theft of their private information, lost or diminished value of their private information, lost time and opportunity costs, loss of benefit of the bargain, loss of employment opportunities, and a continued risk of their private information being misused, as it remains unencrypted and available for other parties to access via the dark web. The lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and unjust enrichment. McLaren Health Care disagrees with all claims and contentions in the lawsuit.

Following months of dialogue about a potential settlement, the plaintiffs issued a settlement demand, and an appropriate settlement was ultimately agreed upon following mediation. Under the terms of the settlement, class members may submit a claim for one year of single-bureau credit monitoring and identity theft protection services plus one or two cash payments. The first cash payment may be claimed for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. The losses must have been incurred on or after July 28, 2023, and be more likely than not traceable to either of the data breaches.

Regardless of whether a claim is submitted for reimbursement of losses, class members may submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees and expenses, settlement administration costs, service awards for the lead plaintiffs, credit monitoring costs, and claims for reimbursement of losses have been deducted. McLaren Health Care has also agreed to take certain remedial measures and enhance security.

The deadline for exclusion and objection is March 16, 2026. The deadline for submitting a claim is April 29, 2026, and the final approval hearing has been scheduled for April 21, 2026.

The post McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks appeared first on The HIPAA Journal.

Two healthcare providers have agreed to settle class action lawsuits over their use of website tracking technologies. Website tracking technologies, such as pixels, can collect and transmit data about website users, which can include personally identifiable information and protected health information if installed on a healthcare provider’s website or patient portal. These tools have been found on the websites of many hospitals, and many lawsuits have been filed by individuals for privacy violations. Two such lawsuits against Legacy Health and Garnet Health have recently been settled, with no admission of liability, fault, or wrongdoing by the healthcare providers.

Legacy Health

Legacy Health, a nonprofit health system with seven hospitals and more than 90 clinics in Oregon and Vancouver, Washington, was sued over the alleged use of third-party tracking tools on its websites without the knowledge or consent of website users. According to the lawsuit, the tools transmitted patients’ personally identifiable information to third parties such as Meta Platforms Inc. (Facebook) and Alphabet Inc. (Google).

The lawsuit – Katherine Layman v. Legacy Health – asserted claims of negligence, breach of confidence, invasion of privacy, breach of implied contract, unjust enrichment, and violation of the Electronic Communications Privacy Act. All parties agreed to settle the litigation to avoid the cost and time associated with continuing with the litigation, and the uncertainty of trial.

Under the terms of the settlement, Legacy Health has agreed to pay up to $2,200,000 to cover attorneys’ fees and expenses, settlement administration costs, and an incentive award of $2,500 to the class representative. Class members are entitled to a one-year membership to CyEx’s Medical Shield privacy protection solution, and may submit a claim for a cash payment of $15.00. Individuals wishing to object to the settlement or exclude themselves must do so by March 16, 2026. Claims for cash payments must be submitted by March 16, 2026, and the final approval hearing has been scheduled for April 16, 2026.

Garnet Health

Garnet Health, a Middletown, New York-based three-campus health system with nine urgent care facilities serving residents of Orange and Sullivan Counties in New York, was alleged to have added tracking tools to its website and MyChart patient portal, which resulted in disclosures of individuals’ personally identifiable information and protected health information to Meta Platforms Inc. (Facebook) and Google Inc. without users’ knowledge or consent. Information allegedly disclosed included health conditions, searches for medical treatment, and other sensitive information.

Lawsuits were filed by Dolores Gay and Corinne Jacob over the alleged disclosures, which were consolidated as they had overlapping claims – Gay et al. v. Garnet Health. After a year of hard-fought litigation, all parties attended mediation and agreed to a settlement to resolve the lawsuit. Under the settlement, Garnet Health has agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. All class members are eligible to enroll in Dashlane Premium, a privacy protection product, for 12 months. In addition, class members may claim a one-time cash payment of $19.50. Individuals wishing to object to the settlement or exclude themselves must do so by March 17, 2026. Claims for cash payments must be submitted by April 16, 2026, and the final approval hearing has been scheduled for April 13, 2026.

The post Legacy Health & Garnet Health Settle Class Action Lawsuits Over Website Tracking Tools appeared first on The HIPAA Journal.

Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.

On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.

Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.

All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.

Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.

Northwell Health & Northbay Healthcare were sued over the use of tracking tools on their websites, which are alleged to have illegally disclosed sensitive data to unauthorized third parties. Both healthcare providers have agreed to settle the lawsuits.

Northwell Health Data Breach Settlement

Northwell Health has agreed to settle litigation over its use of tracking software on its website. According to the lawsuit, tracking tools such as Meta Pixel and Google Analytics code were added to its website and were configured in a manner that resulted in protected health information being transmitted to third parties, without the consent of website visitors.

The lawsuit – Kaplan v. Northwell Health, Inc. – was filed in the New York State Supreme Court, Kings County, and alleged that information about website users’ past, present, or future health conditions, including the type and date of a medical appointment, was collected and transmitted to third parties. That information could be tied to individuals via identifiers such as the their Facebook ID and IP address. The information disclosed could allow third parties to infer that the individual was seeking treatment for a specific medical condition and was a patient of Northwell Health. The lawsuit alleges that the use of tracking tools on the website without obtaining consent violated the Electronic Communications Privacy Act.

Northwell Health disagrees with the claims and contentions in the lawsuit and sought to have the lawsuit dismissed. Northwell Health believes it would have prevailed on its motion to dismiss; however, before the motion to dismiss was argued, all parties engaged in settlement discussions. After considering the likely cost of continuing with the litigation and the risks associated with doing so, the decision was taken to settle the lawsuit.

There are two subclasses, the first of which consists of individuals who logged into the FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, and any patient who booked an appointment via the website between the same dates. Those individuals may claim a cash payment of $15.00. The second subclass consists of all other Northwell Health patients between January 1, 2020, and July 25, 2024, who are not included in the first subclass. Individuals in both subclasses are entitled to a 12-month subscription to a privacy monitoring service. Claims must be submitted by April 20, 2026. The final fairness hearing has been scheduled for April 21, 2026. Individuals wishing to opt out of the settlement or object, must do so by March 23, 2026.

Northbay Healthcare Data Breach Settlement

Northbay Healthcare, the operator of two hospitals in Fairfield and Vacaville, California, and several care centers in Solano County, settled litigation over its use of website tracking tools, which are alleged to have impermissibly disclosed patient data to Meta Platforms, Google, and others.

The lawsuit – J.A., T.A., and N.C. v. NorthBay Healthcare Corporation – was filed in the Superior Court of Solano County, California, and alleged that the inclusion of the tools on its website, without informing patients and obtaining consent, resulted in an invasion of privacy and other common law and statutory violations. NorthBay Healthcare denies all allegations of wrongdoing and liability, and all material allegations in the class action complaint. After considering the likely costs of protracted litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation.

Under the terms of the settlement, individuals who were California residents between November 29, 2020, and May 14, 2024, and visited a Northbay Healthcare website or used the patient portal between those dates may submit a claim for a cash payment of $15.00. Class members may also claim a 12-month subscription to the CyEx Privacy Shield Pro privacy protection service. The deadline for opting out, objecting, and submitting a claim is March 12, 2026. The final fairness hearing has been scheduled for March 19, 2026.

The post Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use appeared first on The HIPAA Journal.

The mobility equipment provider United Seating and Mobility, doing business as Numotion, has agreed to settle class action litigation stemming from two data security incidents in 2024 that involved unauthorized access to the protected health information of hundreds of thousands of its customers.

The first incident was detected by Numotion on March 2, 2024. The forensic investigation confirmed that an unauthorized third party gained access to its systems, which, according to the lawsuit, contained the personal and protected health information of 685,264* current and former customers and employees. The ransomware group had access to its network between February 29, 2024, and March 2, 2024, and potentially obtained names, dates of birth, equipment order details, supporting medical documentation, medical insurance information, and, for certain individuals, Social Security numbers.

The second data security incident was a phishing incident, discovered on September 29, 2024, involving unauthorized access to email accounts. The data review confirmed that the personal and protected health information of 494,326 individuals* was present in the compromised accounts, including names, dates of birth, product information, payment and financial account information, health insurance information, medical information, and limited Social Security numbers.

Multiple class action lawsuits were filed in response to each data breach, which were consolidated into two separate actions. In March 2025, the parties in each of the two consolidated actions explored the early resolution of both lawsuits in a single settlement. Following a full day of mediation and arms-length negotiations, the material terms of a settlement were agreed upon, and over the following weeks, a settlement was finalized with no admission of liability or wrongdoing by the defendant. That settlement has now received preliminary approval from the court.

Under the terms of the settlement, Numotion has agreed to establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses (up to $1,333,333.33), settlement administration costs, service awards for the class representatives, and benefits for the class members. There are two possible cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $15,000 per class member, plus a pro rata cash payment. The cash payments will be paid pro rata if the costs and other benefits do not exhaust the settlement fund.

All class members will receive two years of complimentary credit monitoring services without submitting a claim, and the subclass of individuals who had their Social Security numbers exposed may submit a claim for two years of medical monitoring services. The deadline for opting out of and objection to the settlement is March 3, 2026, and claims must be submitted by March 18, 2026. The final approval hearing was scheduled for April 2, 2026.

*The HHS’ Office for Civil Rights was informed that the first incident involved the protected health information of up to 602,265 individuals, and the second data breach involved the protected health information of up to 529,004 individuals.

The post Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches appeared first on The HIPAA Journal.