Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals (Cornerstone), has agreed to settle class action litigation stemming from a December 2023 cyberattack and data breach.

A threat actor gained access to the Cornerstone network on or around December 19, 2023, and potentially accessed and copied patient information. Data potentially compromised in the incident included names, dates of birth, Social Security numbers, federal or state ID numbers, financial account information, credit or debit card information, digital signatures, email addresses and passwords, usernames and passwords, passport numbers, medical/health information, health insurance information, and other protected health information. Initially, the data breach was reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals. The total was later updated to 484,957 individuals.

A lawsuit – Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals – was filed in the Court of the Western District of Kentucky, Louisville Division, in response to the data breach. The lawsuit alleged that the data breach was a direct result of the defendant’s failure to take necessary and appropriate steps to secure sensitive data on its network, and failed to issue timely notifications, which were mailed on or around July 1, 2024, more than 6 months after the incident occurred.

The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and declaratory relief. Cornerstone denies all claims of fault, wrongdoing, and liability, but agreed to a settlement to avoid further legal costs and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and is in the best interests of the class members.

Cornerstone has agreed to establish a $2,350,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and settlement fund taxes and tax expenses. The remainder of the fund will be used to pay for benefits to the class members. Individuals whose Social Security numbers were compromised in the incident may claim two years of three-bureau credit monitoring and identity theft protection services. They may also submit a claim for reimbursement of documented, unreimbursed extraordinary losses due to the data breach, up to a maximum of $10,000 per individual.

All class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach. Claims are capped at $2,500 per individual for ordinary losses. Class members who do not submit a claim for reimbursement of losses, either ordinary or extraordinary losses, may instead claim a pro rata cash payment, which will be paid once costs and claims have been paid. Individuals whose Social Security numbers were exposed will receive a cash payment equal to three times the amount paid to non-SSN subclass members. The data for objection and exclusion is April 8, 2026. The deadline for submitting a claim is May 8, 2026, and the final approval hearing has been scheduled for May 14, 2026.

The post $2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit appeared first on The HIPAA Journal.

A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.

Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.

Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.

Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.

In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.

If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.

The post Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records appeared first on The HIPAA Journal.

General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit over a 2024 data breach.

Suspicious activity was identified within its email environment on June 12, 2024. The forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024. Patient information exposed and potentially stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information. The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total was later updated to 167,387 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated – Newhart v. General Physician, P.C. – in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network. General Physician maintains that there was no wrongdoing and that there is no liability. All parties explored an early settlement and, following mediation, the material terms of a settlement were agreed. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for June 4, 2025.

Under the terms of the settlement, General Physician has agreed to establish a $2,500,000 settlement fund, which will be used to pay benefits to the class members after attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives have been deducted. While the OCR breach portal states that the protected health information of up to 167,387 individuals was compromised in the incident, the settlement class consists of approximately 490,210 individuals.

Class members are entitled to claim a two-year membership to a single-bureau credit monitoring and medical data monitoring service. In addition, they may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the pro rata cash payment will depend on the number of valid claims received. Based on the estimated response rate, the cash payments are expected to be approximately $60. The deadline for objecting to the settlement and opting out is April 27, 2026. Claims must be submitted by May 27, 2026.

The post General Physician Pays $2.5 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Asheville Eye Associates, an eye care provider serving patients in Western North Carolina, has agreed to settle class action litigation stemming from a November 2024 cyberattack and data breach.

A cyber threat actor accessed its network and potentially viewed or obtained patient information, including names, addresses, health insurance information, and medical treatment information. The Asheville Eye Associates data breach was reported to the HHS’ Office for Civil Rights as affecting 204,984 individuals. The DragonForce ransomware group took credit for the attack and claimed to have exfiltrated 540 GB of data before encrypting files. The data was leaked when the ransom was not paid. The affected individuals were notified about the attack in early February 2024.

Multiple lawsuits were filed in response to the data breach by plaintiffs Robert Woodsmall, Mimi Reynolds, Dena Brito, Robert Ricchetti, and Christopher Miller. The lawsuits were consolidated, In re Asheville Eye Associates Data Incident Litigation, in South Carolina’s General Court of Justice Superior Court Division. The lawsuit asserted several claims, including negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Asheville Eye Associates denies all claims and contentions in the lawsuit and maintains there was no wrongdoing.

Following mediation, all parties agreed to settle the litigation to avoid further litigation costs and expenses, and the uncertainty of a trial. Under the terms of the settlement, Asheville Eye Associates has agreed to pay for attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and several benefits for the class members.

Attorneys’ fees and expenses will not exceed $500,000, settlement administration costs are $53,000, and service awards of $1,250 per class representative (total: $6,250) have been approved. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,250 per class member. All class members may claim one year of identity theft protection services, and will automatically receive a $10 voucher that can be used toward the purchase of eyeglasses at any Asheville Eye Associates location (except its 21 Medical Park Drive, Asheville, North Carolina location).

The deadline for objection, exclusion, and submitting a claim is April 6, 2026. The final fairness hearing has been scheduled for May 14, 2026.

The post Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack appeared first on The HIPAA Journal.

Rebound Orthopedics & Neurosurgery, a Vancouver, WA-based orthopedic and neurosurgery practice, has agreed to pay $2,500,000 to settle a class action lawsuit over a February 2024 security incident involving unauthorized access to the protected health information of 426,536 patients. Data compromised in the incident included names, dates of birth, medical information, health insurance information, Social Security numbers, financial account information, driver’s license numbers, and passport numbers.

The affected patients started to be notified on April 15, 2024, and the first class action lawsuit related to the data breach was filed on February 7, 2025, in the Superior Court of the State of Washington, Clark County. A further five class action lawsuits were filed by other affected individuals, which were consolidated in the same court – Cooper, et al. v. Rebound Orthopedics & Neurosurgery P.C.

The consolidated lawsuit alleged that Rebound Orthopedics & Neurosurgery was at fault, as reasonable and appropriate cybersecurity measures had not been implemented prior to the data breach. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Washington Consumer Protection Act and the Oregon Unlawful Trade Practices Act. Rebound Orthopedics & Neurosurgery denies all claims of fault, wrongdoing, and liability.

To avoid the costs, expenses, distraction, and burden of continuing with the litigation, and the uncertainty of a trial and related appeals, all parties agreed to settle the lawsuit. Class counsel and the class representatives believe that the settlement is fair. Under the terms of the settlement, Rebound Orthopedics & Neurosurgery has agreed to establish a $2,500,000 settlement fund to cover attorneys’ fees and expenses, notification and settlement costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for a two-year membership to the CyEx Medical Shield Complete credit and medical data monitoring service, plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses incurred due to the data breach up to $5,000 per class member. Alternatively, a claim may be submitted for a one-time pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The deadline for objection to and exclusion from the settlement is May 28, 2026. Claims must be submitted by May 28, 2026, and the final fairness hearing has been scheduled for June 12, 2026.

The post Rebound Orthopedics & Neurosurgery Pays $2.5 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

The New York-based health systems, Catholic Health System & Northwell Health, have agreed to settle class action lawsuits stemming from their use of pixels and other website tracking and analytics tools, which are alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without consent.

Website tracking and analytics tools are used extensively across the internet for tracking website visitors. While these tools can collect valuable information to help website owners improve their websites, they can also collect and transmit sensitive data to the third-party providers of the tools. That disclosed information may then be used for advertising purposes.

Depending on how these tools are implemented, they may violate the HIPAA Privacy Rule, such as if they are added to web pages or apps that require authentication. Over the past three years, many lawsuits have been filed over the use of these tools by healthcare providers. HIPAA has no private cause of action, so individuals cannot sue for HIPAA violations. The lawsuits were filed for alleged violations of federal wiretapping laws and state consumer protection laws.

Catholic Health System Pixel Settlement

Catholic Health System, a non-profit integrated health system based in Buffalo, New York, was sued for implementing these tools, which resulted in impermissible disclosures of protected health information to Meta and other third parties. The defendant filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed, and an amended complaint – J.C. v. Catholic Health System, Inc. – was filed in the Supreme Court of the State of New York, County of Erie.

Catholic Health System denies any wrongdoing whatsoever and also denies that tracking technologies were added to its patient portal or electronic medical record system; however, following mediation, a settlement was agreed upon by all parties. The settlement provides benefits to all patients who logged into the Catholic Health System MyChart patient portal from January 1, 2020, through December 11, 2025 (Subclass 1), and any current or former patient who sought and received treatment from Catholic Health System between the same dates, not including individuals in Subclass 1 (Subclass 2).

The defendant has agreed to pay all attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members in Subclass 1 may submit a claim for a one-time cash payment of $20, and members of Subclass 2 may submit a claim for a 12-month membership to a Dashlane privacy monitoring service. Class members have until March 11, 2026, to object to the settlement or exclude themselves. Claims must be submitted by April 10, 2026, and the final fairness hearing has been scheduled for April 23, 2026.

Northwell Health Pixel Settlement

Northwell Health, a New York-based nonprofit integrated healthcare serving patients in New York and Connecticut, faced similar class action litigation over the use of website tracking tools that were alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without patients’ knowledge or consent. Through these tools, the defendant is alleged to have disclosed information related to past, present, or future health conditions, which would allow third parties to determine that an individual was a patient or seeking treatment, together with the type of medical care being sought.

The lawsuit, Kaplan v. Northwell Health, Inc., was filed in the Supreme Court of the State of New York, County of Kings and asserted claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment, negligence, invasion of privacy under New York Civil Rights Law, violations of the New York Consumer Law for Deceptive Acts and Practices, and violations of the Electronic Communications Privacy Act.

The defendant denies all claims of fault, wrongdoing, and liability and disagrees with all contentions in the lawsuit; however, to avoid the expense of ongoing litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation. There are two settlement classes, with different benefits. Individuals who used Northwell Health’s FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, are in Settlement Subclass 1 and may submit a claim for monetary relief of $15 per class member. All other patients of Northwell Health between January 1, 2020, and July 25, 2024, not including those in Settlement Subclass 1, are in Settlement Subclass 2 and may claim a 12-month membership to a privacy monitoring service.

The deadline for objection and opting out is March 23, 2026. The deadline for submitting a claim is April 20, 2026, and the final fairness hearing has been scheduled for April 21, 2026.

The post Catholic Health System & Northwell Health Settle Pixel Lawsuits appeared first on The HIPAA Journal.

Carespring Health Care Management in Ohio and LifeBridge Health in Maryland have agreed to settle class action lawsuits stemming from data breaches.

Carespring Health Care Management

Carespring Health Care Management has agreed to settle a class action lawsuit stemming from an October 2023 cyberattack and data breach. Hackers gained access to the protected health information of 64,609 individuals, including names, dates of birth, Social Security numbers, financial information, health insurance information, and medical information.

The first class action lawsuit over the data breach was filed by plaintiff Phyllis Rise on August 29, 2024. Four related actions were subsequently filed by other affected individuals. The five lawsuits were consolidated – Rice, et al., v. Carespring Health Care Management, LLC – in the Court of Common Pleas for Clermont County, Ohio, as the lawsuits had overlapping claims.

The consolidated lawsuit asserted several claims, including negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and the failure to provide adequate notice about the data breach. Carespring Health Care Management denies all claims asserted in the lawsuit.

To avoid the expense, delay, and uncertainties of litigation, all parties agreed to a settlement, with no admission of liability or wrongdoing. Carespring Health Care Management will pay up to $305,000 to cover attorneys’ fees and expenses, service awards of $2,500 for each of the five class representatives, and benefits for the class members. Class members may submit a claim for two years of single-bureau credit monitoring services, and a claim for up to $4,500 as compensation for documented, unreimbursed losses resulting from the data breach. If a claim is not submitted for reimbursement of losses, class members may claim an alternative $50 cash payment

The deadline for objection to and exclusion from the settlement is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for April 28, 2026.

LifeBridge Health

LifeBridge Health Inc., a Maryland-based holding company for four Maryland hospitals and other affiliated entities, has agreed to pay $575,000 to settle class action litigation stemming from a cybersecurity incident detected in November 2024. LifeBridge Health determined that a hacker intermittently accessed its computer systems between August 27, 2024, and September 21, 2024, and potentially obtained patients’ protected health information. The affected individuals were notified about the data breach on April 1, 2025.

A lawsuit was filed in the Circuit Court for Baltimore County, Maryland, in response to the data breach, alleging it could have been prevented had LifeBridge Health implemented reasonable and appropriate cybersecurity measures. The lawsuit – Ragin v. LifeBridge Health, Inc. – asserted claims of negligence, alleged breach of implied contract, and breach of the implied covenant of good faith and fair dealing. LifeBridge Health denies all allegations in the lawsuit and maintains there was no wrongdoing. While believing that it would have prevailed at trial, the decision was taken to settle the litigation to avoid the cost, distraction, and uncertainty of trial and related appeals.

A $575,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. The remainder of the fund will be used to pay for benefits for the class members. LifeBridge Health has also agreed to make data security enhancements to better protect patient data.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a flat cash payment, which will be paid pro rata after all valid claims have been paid. The cash payment is estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection to and exclusion from the settlement is February 28, 2026. The deadline for submitting a claim is February 28, 2026, and the final fairness hearing has been scheduled for March 20, 2026.

The post Carespring Health Care Management & LifeBridge Health Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Class action lawsuits over data breaches at Centrelake Medical Group and Des Moines Orthopaedic Surgeons have been resolved with settlements.

Centrelake Medical Group Settlement

Centrelake Medical Group, the operator of 8 medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a 2019 cybersecurity incident that affected 197,661 patients. Centrelake Medical Group experienced a ransomware attack in February 2019. The hackers had access to its servers from January 9 to February 19, 2019, and potentially obtained information such as names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

A lawsuit was filed in response to the data breach – April Kay Moore, et al. v. Centrelake Medical Group, Inc. – in the Superior Court of California, County of Los Angeles Civil Division, which asserted claims of breach of express and/or implied contractual promise, breach of covenant of good faith and fair dealing, violation of Civil Code § 56, et seq., and violation of California Business and Professions Code § 17200, et seq.

Centrelake Medical Group denies all claims of liability and wrongdoing but determined that the litigation would likely be protracted and expensive, and agreed to a settlement. Centrelake Medical Group has agreed to pay $525,000 for attorneys’ fees and expenses, $2,500 for each of the class representatives, and will cover notice and settlement costs.

Class members are entitled to enroll in two years of free medical and credit monitoring services, and claims may be submitted for documented, unreimbursed losses due to the data breach. A cap of $500 has been placed on ordinary losses due to the data breach, and a cap of $3,500 has been placed on extraordinary losses. Individuals who were California residents at the time of the data breach may also claim an additional $50 cash payment. The deadline for submitting a claim is June 12, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

Des Moines Orthopaedic Surgeons Settlement

Des Moines Orthopaedic Surgeons in Iowa has agreed to settle class action litigation over a 2023 data breach. Des Moines Orthopaedic Surgeons experienced a data security incident in February 2023 that impacted its computer systems and resulted in the theft of the protected health information of 307,864 current and former patients. Data compromised in the incident included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information.

Three class action lawsuits were filed in response to the data breach, which were consolidated – Rogers, et al., v. Des Moines Orthopaedic Surgeons, P.C. – in the Iowa District Court for Dallas County. The plaintiffs alleged that the data breach was due to the failure to implement appropriate cybersecurity measures to protect patient data. Des Moines Orthopaedic Surgeons denies all claims of liability and wrongdoing; however, opted to settle the litigation to avoid the costs, expense, distraction, burden, and disruption to business operations from continuing with the litigation.

The settlement includes monetary relief for the class members, which has been capped at $1,000,000. Class members are entitled to claim three years of three-bureau credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of losses due to the data breach and compensation for lost time. A claim may be submitted for reimbursement of documented, unreimbursed ordinary out-of-pocket losses up to a maximum of $400 per class member, up to four hours of lost time at $25 an hour, and reimbursement of documented, unreimbursed extraordinary losses up to a maximum of $5,000 per class member.

If a claim for reimbursement of losses and lost time is not submitted, class members may claim an alternative cash payment. Those payments are $25 if their Social Security number was not compromised, and $100 if their Social Security number was compromised. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 2, 2026. Individuals wishing to object to the settlement or exclude themselves have until February 23, 2026, to do so.

The post Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons appeared first on The HIPAA Journal.

Emergency Medical Services Authority in Oklahoma and Compassion Health Care in North Carolina were sued over cyberattacks and data breaches. Settlements have now been agreed to resolve both class action lawsuits.

Emergency Medical Services Authority Data Breach Settlement

Emergency Medical Services Authority (EMSA), the largest provider of pre-hospital emergency medical care in the state of Oklahoma, has agreed to settle a class action lawsuit stemming from a cyberattack detected on February 13, 2024. EMSA determined that hackers accessed its network between February 10, 2024, and February 13, 2024, and acquired files containing patient and employee data. The data breach affected 611,743 individuals and included names, addresses, dates of birth, dates of service, and  Social Security numbers.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Oklahoma District Court of Oklahoma County – Wade Quick and Laura Lance v Emergency Medical Services Authority. EMSA denies all claims of liability, fault, and wrongdoing, and sought to have the lawsuit dismissed. The court sustained in part and denied in part the motion to dismiss, and the lawsuit proceeded to discovery. A second motion to dismiss was filed for lack of jurisdiction, and after the plaintiffs filed their response, all parties agreed to resolve the lawsuit with a settlement rather than continuing to litigate.

Under the terms of the settlement, EMSA will establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class members, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member.  A claim may also be submitted for compensation for up to four hours of lost time at $15 per hour. While documentation is not required for the lost time claim, class members must sign an attestation that includes a brief description of the lost time. Lost time payments are included in the £3,000 cap per class member.

Class members may also claim two years of single-bureau credit monitoring and identity theft protection services. The deadline for submitting a claim is March 5, 2026. The final fairness hearing has been scheduled for April 5, 2026.

Compassion Health Care Data Breach Settlement

The Yanceyville, North Carolina-based medical practice, Compassion Health Care, has agreed to pay up to $600,000 to settle a class action lawsuit over a breach of the protected health information of 23,600 individuals. A cybersecurity incident was identified on or around March 17, 2025, and the forensic investigation confirmed that an unauthorized third party hacked its systems, and potentially obtained protected health information such as names, addresses, phone numbers, date of births or ages, Social Security numbers, driver’s license numbers, health insurance information, claims information, and clinical/diagnostic information. The affected individuals were notified about the data breach on or around May 16, 2025.

The first class action lawsuit over the data breach was filed on May 23, 2025, followed by a further two lawsuits. An amended complaint was filed in the Caswell County Superior Court for the State of North Carolina on July 2, 2025, adding the additional plaintiffs – Allin v. Compassion Health Care. The lawsuit alleged that the cyberattack occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, breach of confidence, and unjust enrichment.

Shortly after the amended lawsuit was filed, the defendant provided the plaintiffs with informal discovery, including information about the cybersecurity measures implemented prior to the data breach. After arms-length discussions, the material terms of a settlement were agreed upon. The settlement has now been finalized, with no admission of liability or wrongdoing, and the settlement has received preliminary approval from the court. The $600,000 will be used to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach, or class members may claim an alternative cash payment of $40.

The deadline for submitting a claim differs based on CPT ID. Class members with a CPT ID under 20,000 have until February 23, 2026, to submit a claim. Class members with a CPT ID over 20,000 have until May 4, 2026, to submit a claim. The final fairness hearing has been scheduled for May 4, 2026.

The post Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation appeared first on The HIPAA Journal.