SAG-AFTRA Health Plan has settled a class action lawsuit over a September 2024 email data breach. Hackers gained access to the health plan’s email systems between September 17 and September 18, 2026, after employees responded to phishing emails. The attack exposed sensitive personal and protected health information, which was potentially copied by the hackers.

Data compromised in the incident included names and Social Security numbers and, for some individuals, health information, claims information, and plan participant identification numbers. The breach was reported to the HHS’ Office for Civil Rights initially as affecting 35,592 individuals, although that total was later increased to 98,474 individuals. The lawsuit states that approximately 94,546 notification letters were mailed.

The first class action lawsuit over the data breach was filed by plaintiffs Matthew Rouillard and Kristy Munden in December 2024, and a further three class action lawsuits were subsequently filed by other plaintiffs. The lawsuits had overlapping claims, so were consolidated into a single action – In re SAG Health Data Breach Litigation – in the U.S. District Court for the Central District of California.

The consolidated lawsuit asserted several claims, including negligence and violations of California laws. To avoid the expense, distraction, and uncertainty of a trial and related appeals, SAG-AFTRA Health Plan and the plaintiffs agreed to a settlement. SAG-AFTRA Health Plan has agreed to establish a $950,000 settlement fund to cover attorneys’ fees and expenses, claims administration costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which will be paid from the remaining funds after claims and costs have been deducted. Individuals who were not California residents at the time of the data breach will receive one pro rata share of the remainder of the settlement fund, and California residents will receive two shares.

All class members will receive an 18-month membership to a credit monitoring and identity theft protection service, even if they do not submit a claim for reimbursement of losses or a cash payment. Claims must be submitted by July 23, 2026. The deadline for objection and exclusion is June 23, 2026, and the final fairness hearing has been scheduled for September 24, 2026.

December 13, 2026: SAG-AFTRA Members Sue Health Plan Over Email Breach

A class action lawsuit has been filed by members of the Screen Actors Guild – American Federation of Television and Radio Artists (SAG-AFTRA) health plan over a recent email phishing attack that exposed their protected health information. An unauthorized third party accessed an employee’s email account between September 17 and September 18, 2024, after the employee responded to a phishing email and potentially viewed or copied names, Social Security numbers, health insurance information, and claims information. The breach was reported to the HHS’ Office for Civil Rights as affecting 35,592 individuals, and individual notifications were mailed on December 2, 2024. The total was later increased to 98,474 individuals.

Three days after notification letters were mailed, a lawsuit was filed by Clarkson Law Firm P.C. in the U.S. District Court in Los Angeles that names SAG-AFTRA members Matthew Rouillard and Kristy Munden as plaintiffs. The lawsuit alleges SAG-AFTRA failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to members’ sensitive data, which was exfiltrated in the attack, failed to adequately monitor its network and computer systems, and failed to issue timely notifications about the breach. Notification letters were sent more than 2 months after the email account breach was discovered.

The lawsuit alleges the plaintiffs and class members have suffered injuries such as out-of-pocket expenses associated with preventing, detecting, and remediating identity theft, social engineering, and fraud; lost opportunity costs while attempting to mitigate the consequences of the data breach; lost time; an invasion of privacy; diminution in value of their private information; and an increased risk of identity theft and fraud.

The lawsuit claims that in light of the data breach and lack of cybersecurity protections, members overpaid for their health plans. The lawsuit asserts claims of unjust enrichment, invasion of privacy, negligence, breach of express warranty, and violations of the California Civil Code (Deceit by concealment), California Unfair Competition Law (Business & Professions Code), and the California Confidentiality of Medical Information Act.

The lawsuit seeks class action status, a jury trial, monetary damages, restitution, and an order from the court requiring adequate security protocols to be implemented, proper notice to be provided to the affected individuals, and prohibiting the health plan from engaging in further wrongful acts.

The post SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident appeared first on The HIPAA Journal.

South Texas Oncology and Hematology, a San Antonio, TX-based provider of leading-edge cancer treatment and other medical services, has settled a class action lawsuit stemming from a February 2024 cyberattack and data breach that involved unauthorized access to the personal information of 176,303 individuals, including the protected health information of 175,195 individuals.

Suspicious network activity was identified on February 15, 2024, and the forensic investigation confirmed that an unauthorized individual accessed its network and potentially obtained employee and patient information. Data exposed in the incident included names, contact information, dates of birth, health information, and Social Security numbers. The affected individuals were notified about the incident in June 2024.

The first class action lawsuit over the data breach was filed by plaintiff Doris Flores on June 24, 2024, in the U.S. District Court for Bexar County, Texas, 438^th Judicial District. Several other lawsuits were subsequently filed, and since they made similar claims and had overlapping classes, the plaintiffs’ counsel agreed to work cooperatively and litigate in a single action – Flores v. South Texas Oncology and Hematology, PLLC.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network, and that the data breach should have been prevented. South Texas Oncology and Hematology maintains that there was no wrongdoing, there is no liability, and denies all claims and contentions in the lawsuit. The defendant and the plaintiffs agreed to a settlement to avoid the costs and risk associated with a trial, with no admission of fault or liability.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for July 21, 2026. Under the terms of the settlement, South Texas Oncology and Hematology has agreed to pay $1,075,000 to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of up to $5,000 in documented, unreimbursed losses due to the data breach, or they may claim an alternative pro rata cash payment. The cash payments are estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. In addition to one of those benefits, class members may also claim two years of free medical data monitoring services. Claims must be submitted by July 6, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 22, 2026.

The post South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Alabama Ophthalmology Associates, P.C., has settled a class action lawsuit that was filed in response to a January 2025 cyberattack on its computer systems. The intrusion was identified on January 30, 2025, and the forensic investigation confirmed unauthorized access to its network between January 22 and January 30, 2025.

The hackers had access to files containing names, dates of birth, Social Security numbers, medical record numbers, treatment information, medical history information, and health insurance information. The Alabama Ophthalmology data breach affected 131,576 individuals, and notification letters were mailed in April 2025. Multiple class action lawsuits were filed in response to the data breach, which were consolidated as they had overlapping claims – In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate safeguards to protect sensitive data on its network, resulting in unauthorized access and exposure of patient data, and failed to issue adequate breach notifications. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and failure to provide adequate notice pursuant to any breach notification statute or common law duty.

The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing and that there is no liability. To avoid further legal costs and the uncertainty of a trial, all parties explored early resolution of the lawsuit, and a settlement was ultimately agreed upon that was acceptable to all parties.

Class members are entitled to claim two years of medical data monitoring and identity theft protection services, plus one of two cash payments. A claim may be submitted for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. The cash payments are expected to be around $60 per class member. The deadline for objection and exclusion is June 5, 2026. Claims must be submitted by June 25, 2026, and the final fairness hearing has been scheduled for July 6, 2026.

The post Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.

Tempus AI, a publicly traded healthcare artificial intelligence company, is facing multiple class action lawsuits over the alleged unauthorized collection and disclosure of genetic testing results, which were derived from genetic testing by Ambry Genetics Corporation (Ambry Genetics).

Ambry Genetics offers comprehensive genetic testing services, including screening and diagnosis of inherited and non-inherited diseases. Tempus AI was founded in 2015 and builds tech solutions around clinical care and research products. In February 2025, Tempus AI acquired Ambry Genetics for $600 million, and as a condition of the acquisition, Ambry Genetics was required to disclose its vast database of genetic data to Tempus AI. The database contained the genetic information of hundreds of thousands of individuals.

Tempus AI used Ambry Genetics’ genetic database to train its AI models. Tempus AI had signed agreements with more than 70 companies, including large and mid-sized pharmaceutical firms such as AstraZeneca, Bristol Myers Squibb, Pfizer, and GlaxoSmithKline, and biotechnology firms such as Incyte, Servier, Aspera Biomedicines, and Whitehawk Therapeutics. Genetic data derived from Ambry Genetics testing services was provided to those clients under those agreements.

Several class action lawsuits were filed against Tempus AI over the use of genetic data to train the AI models and the subsequent disclosures of genetic data. The lawsuits were consolidated into a single complaint – Farrier et al v. Tempus AI, Inc. – on April 15, 2026, in the U.S. District Court for the Northern District of Illinois. The lawsuit alleges that Tempus AI violated the Illinois Genetic Information Privacy Act (GIPA) and other state statutes by compelling Ambry Genetics to disclose the genetic data collected through its testing services and violating the same laws by disclosing the genetic data through its agreements with third-party partners. The lawsuit claims that Tempus AI has profited enormously from selling genetic data without the knowledge or written consent of the data subjects. The lawsuit alleges that the class members’ genetic data was disclosed to those clients in deals totaling $1.1 billion.

Tempus AI claims to have a clinical and molecular data library consisting of 45 million de-identified patient records, including 8.5 million clinical records, 2 million medical images, and 1 million matched clinical-genomic records. The lawsuit alleges that Tempus AI and Ambry Genetics misled the public by claiming that they only disclose de-identified genetic information, when that is not the case. Further, the lawsuit claims that genetic information “cannot be deidentified because such data serves as an inherently unique biomarker,” and like DNA, the information is inherently identifiable.

The 21-count lawsuit asserts claims for negligence, unjust enrichment, fraudulent concealment, Conversion, invasion of privacy-intrusion upon seclusion, breach of contract, breach of implied contract, breach of fiduciary duty, and violations of consumer and data protection laws, deceptive trade practices laws in California, Florida, Georgia, Illinois, Michigan, New York, and West Virginia.

The plaintiffs seek a jury trial and damages, injunctive relief, and any other remedies that the Court deems appropriate to redress Tempus AI’s alleged unlawful and unauthorized data collection and disclosures, including an order from the court compelling Tempus AI to cease sharing individuals’ genetic data without first providing the data subjects with proper notice and obtaining their written consent.

The post Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data appeared first on The HIPAA Journal.

A class action lawsuit filed against Absolute Dental Group, LLC, and Judge Consulting, Inc., over a 2025 data breach has been settled for $3,300,000. Absolute Dental is a Nevada-based dental care provider, and Judge Consulting is a provider of technology consulting, staffing solutions, and corporate training services. Absolute Dental contracted with Judge Consulting as its managed services provider and was responsible for the daily management and operations of Absolute Dental’s IT systems.

Absolute Dental identified suspicious activity within its network on February 26, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between February 19, 2025, and March 5, 2025. Access was gained through an account associated with Judge Consulting. The hackers had access to names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and other sensitive data. The data breach was one of the largest of the year, affecting 1,223,635 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Jordan et al. v. Absolute Dental Group, LLC, et al., – in the U.S. District Court for the District of Nevada. The lawsuit alleged that the defendants failed to adequately secure patient data, failed to properly monitor their systems for intrusions, and failed to provide timely notice to the victims of the breach. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary, breach of confidence, invasion of privacy, violations of the Nevada Privacy of Information Collected on the Internet From Consumers Act, and declaratory and injunctive relief.

Following mediation, the plaintiffs and the defendants agreed to a settlement that was acceptable to all parties, with no admission of wrongdoing, fault, or liability by the defendants. A $3,300,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the five class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. Residents of California at the time of the data breach also qualify for an additional cash payment. The deadline for objection to and exclusion from the settlement is June 9, 2026. Claims must be submitted by June 18, 2026, and the final approval hearing has been scheduled for July 30, 2026.

The post Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M appeared first on The HIPAA Journal.

Tangoe, a provider of software solutions for managing telecom, mobile, and cloud expenses, has agreed to a settlement to resolve a class action lawsuit stemming from a November 2022 security incident. Tangoe experienced a cyberattack, exposing sensitive data such as names, dates of birth, Social Security numbers, medical information, health insurance information, medication information, billing and claims information, and financial account information. Hackers had access to its systems between November 15, 2022, and November 17, 2022.

The breach affected some of its healthcare clients and involved unauthorized access to the protected health information of 4,765 individuals, according to the breach notice filed with the HHS’ Office for Civil Rights. While the breach occurred in November 2022, it took until November 1, 2023, for the affected individuals to be notified. A lawsuit – Kevin McLinden v. Tangoe US, Inc.– was filed in the Superior Court for Marion County, Indiana, over the data breach, alleging Tangoe failed to implement reasonable and appropriate cybersecurity measures, leading to an entirely preventable data breach. Tangoe denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

After prolonged and extensive arm’s length negotiations, all parties agreed to a settlement to avoid the expense and length of protracted litigation and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to claim two years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition to the credit monitoring services, class members may claim one or more cash payments.

A claim may be submitted for compensation for documented, unreimbursed ordinary losses due to the data breach incurred between November 2022 and June 3, 2026. Claims for reimbursement of ordinary losses have been capped at $750 per class member. A claim may also be submitted for compensation for lost time up to a maximum of four hours at $25 per hour ($100). The lost time claims are included in the $750 ordinary losses cap.

A claim may also be submitted for reimbursement of extraordinary losses, such as documented, unreimbursed losses due to identity theft and fraud. Claims for extraordinary losses have been capped at $5,000 per class member. If a claim for reimbursement of losses/lost time is not submitted, class members are eligible to claim an alternative pro rata cash payment. The cash payments will be paid from the remainder of the settlement fund, and are expected to be around $50, but may be higher or lower depending on the number of claims received. No proof is required to submit a claim for an alternative cash payment.

The deadline for exclusion and objection to the settlement is May 4, 2026. Claims must be submitted by June 3, 2026, and the final fairness hearing has been scheduled for June 11, 2026. Individuals who do nothing will receive no benefits and will lose the right to sue the defendant over the data breach or participate in other lawsuits related to the data breach.

The post Tangoe Data Breach Settlement Receives Preliminary Approval appeared first on The HIPAA Journal.

Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026.

The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information.

The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 545,491 individuals. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute – in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga.

According to the lawsuit, approximately 460,000 individuals had their private information exposed or stolen in the incident, including 287,000 individuals who had their Social Security numbers exposed. The plaintiffs alleged that Chattanooga Heart Institute negligently maintained patient data and had not implemented appropriate safeguards to prevent unauthorized access, claims strenuously denied by the Chattanooga Heart Institute. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, bailment, breach of fiduciary duty, invasion of privacy, and declaratory and injunctive relief.

Chattanooga Heart Institute sought to have the lawsuit dismissed; however, the request was denied in part, and the lawsuit was allowed to proceed. During discovery, the parties began exploring the possibility of an early resolution, and following mediation, agreed upon the material terms of a settlement. The settlement has now been finalized, with no admission of wrongdoing or liability by the Chattanooga Heart Institute. The defendant will establish a $3,750,000 settlement fund, which will be split into two separate funds – a non-revisionary $2,000,000 fund for the Social Security number subclass and up to $1,750,000 fund for the total class.

All class members may claim two years of credit monitoring services, valued at approximately $120 per year. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,500 per class member. A cash payment may also be claimed by members of the Social Security number settlement class. The cash payments will be paid pro rata after the settlement administration costs, a share of the attorneys’ fees and expenses, and service awards for the class representatives have been deducted. The attorneys’ fees and costs will be divided between the Social Security number class (53%) and the total class fund (47%). The deadline for submitting a claim is July 13, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 12, 2026.

The post $3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute appeared first on The HIPAA Journal.

Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals.

IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class.

The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. A further seven lawsuits were filed by other plaintiffs, which were consolidated into a single complaint because the lawsuits had overlapping claims. The consolidated class action lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant denied and continues to deny all claims and contentions in the lawsuit, including all claims of fault, wrongdoing, and liability. Following mediation, the material terms of a settlement were agreed upon to bring the litigation to an end and avoid the costs and distraction of protracted litigation and the uncertainty of a trial. The settlement has now been finalized and granted preliminary approval from the court. The final fairness hearing has been scheduled for July 1, 2026.

The defendant has agreed to establish a $4 million settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards from the class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members. Class members are entitled to two years of medical data monitoring, reimbursement of out-of-pocket losses due to the data breach, and a pro rata cash payment. Class members may claim reimbursement of up to $5,000 in documented, unreimbursed losses and the cash payments are estimated to be $50 per class member, although the cash payments may be higher or lower depending on the number of claims received. The deadline for submitting a claim is July 1, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 1, 2026.

The post Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M appeared first on The HIPAA Journal.

Anne Arundel Dermatology has agreed to pay $2,400,000 to settle a consolidated class action lawsuit stemming from a cybersecurity incident involving unauthorized access to its network for three months in 2025. Anne Arundel Dermatology identified suspicious activity within its computer network on May 13, 2025. The forensic investigation confirmed that an unauthorized third party had access to its network between February 14, 2025, and May 13, 2025. It was not possible to determine if patient data was accessed or exfiltrated in the attack, so notification letters were sent to 1,905,000 current and former patients who may have been affected. Information potentially compromised included names, addresses, birth dates, medical information, health insurance information, and other personal information.

Many class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, the 21 lawsuits were consolidated into a single action – In Re Anne Arundel Data Breach Litigation – in the U.S. District Court for the District of Maryland. The consolidated lawsuit alleged that Anne Arundel Dermatology negligently maintained sensitive data and failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, breach of contract, breach of fiduciary duty, unjust enrichment, and intentional invasion of privacy, all of which were denied by the defendant, along with claims of wrongdoing, fault, and liability.

Class counsel explored the opportunity for an early resolution of the litigation, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for July 16, 2026. Anne Arundel Dermatology has agreed to establish a $2.4 million settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members are entitled to claim a 3-year membership to the CyEx Medical Shield Complete product, which provides medical data monitoring, and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or an alternative pro rata cash payment may be claimed, which is estimated to be $100 but may be higher or lower depending on the number of valid claims received. The deadline for opting out and objection is June 9, 2026, and claims must be submitted by July 8, 2026.

The post Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.