Jefferson Healthcare has agreed to settle a class action lawsuit that alleged sensitive data was transmitted to third parties without patient consent due to its use of Meta Pixel and other tracking technologies on its website. Jefferson Healthcare serves residents of eastern Jefferson County on the Olympic Peninsula in Washington State. According to the lawsuit – Jane Doe et al. v. Jefferson County Public Hospital District No. 2 D/B/A Jefferson Healthcare – Jefferson Healthcare installed computer code, including Meta Pixel, on its website between March 19, 2020, and March 19, 2024.

The plaintiffs allege that the implementation of the code allowed their protected health information to be transmitted to third parties such as Facebook and Google without their knowledge or consent. The complaint was filed on March 19, 2024, and Jefferson Healthcare filed a motion to dismiss, which was granted in its entirety by Jefferson County Superior Court Judge Brandon Mack on July 24, 2024. On August 23, 2024, the plaintiff filed a Notice of Appeal with the Washington Court of Appeals.

The plaintiffs and the defendant agreed that a settlement was in the best interests of all parties to avoid the burden, expense, risk, and uncertainty of continuing the litigation. The terms of the settlement have now been agreed upon, and the settlement has received preliminary court approval. Under the terms of the settlement, class members are entitled to claim a voucher for a 12-month subscription to CyEx Privacy Shield, valued at $330.

Jefferson Healthcare has also agreed not to use Meta Pixel on its website for at least two years, unless it is determined that its use is consistent with applicable laws, and an affirmative disclosure is made in the privacy statement on its website that Meta Pixel is being used.  Jefferson Healthcare has agreed to pay attorneys’ fees of $125,000, awards of $2,500 for the class representatives, and will cover the settlement administration costs.

Class members wishing to exclude themselves or object to the settlement have until October 17, 2025, to do so. Claims for a voucher must be submitted by November 17, 2025, and the final approval hearing has been scheduled for December 5, 2025.

The post Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

23andMe has proposed an increased settlement fund to resolve U.S. litigation over its 2023 data breach, adding a further $20 million to the $30 million settlement proposed last year. The $30 million settlement was given preliminary approval by a federal court judge in December.

The data breach began in April 2023 and involved unauthorized access to customer accounts for around 5 months as a result of a credential stuffing attack. Approximately 7 million customers were affected, 6.4 million of whom were located in the United States. Customer accounts were compromised because they used the same password as other platforms that had previously been breached. While credential stuffing attacks exploit poor password practices by users of a platform, 23andMe was criticized for having inadequate security, such as not requiring multi-factor authentication to protect accounts.

The $30 million settlement was agreed upon and received preliminary approval before 23andMe’s bankruptcy. The company filed for Chapter 11 bankruptcy protection in March 2025 to maximize value through a court-supervised sale. The company was purchased for $305 million by a nonprofit organization led by former 23andMe CEO Anne Wojcicki in July 2025. The sale freed up more assets to cover claims from individuals affected by the data breach.

After the previous settlement was agreed upon, 23andMe received more than 250,000 valid claims from class members who provided proof of losses. The increase in the size of the settlement will resolve “a substantial majority” of U.S. claims, according to 23andMe’s attorneys, who said the proceeds from the sale of the company remain the only source of monetary recovery for victims of the data breach. As such, they hope the judge will be convinced to approve the revised settlement.

In addition to providing reimbursement for documented, out-of-pocket expenses incurred as a result of the data breach, the settlement resolves claims that the company failed to tell customers with Chinese and Ashkenazi Jewish ancestry that they were being targeted by a hacker, and that their stolen data had been offered for sale on the dark web.

In addition to covering reimbursement of losses, class members will also be entitled to enroll in a five-year Privacy & Medical Shield + Genetic Monitoring program from CyEx, which was specifically set up for 23andMe customers affected by the data breach. The package provides enhanced protection, including identity theft monitoring, dark web monitoring, and genetic anomaly detection services. Wojcicki said the revised settlement closely tracks the settlement proposed and approved last year. The proposed settlement now awaits preliminary approval from the court.

23andMe has also asked the Missouri bankruptcy judge to approve a separate $3.25 million settlement (Can$4.49 million) to resolve a class action lawsuit in Canada, which will provide benefits for the 300,000 Canadian citizens affected by the data breach.

September 16, 2024: 23andMe Settles Data Breach Lawsuit for $30 Million

A settlement had previously been agreed in principle to resolve a 23andMe HIPAA data breach lawsuit, and now the terms have been finalized. 23andMe has agreed to pay $30 million to settle the consolidated class action lawsuit – In re 23andMe Inc Customer Data Security Breach Litigation – and received preliminary approval for the settlement in federal court in San Francisco on Thursday. The settlement still requires final approval from a federal court judge.

The 23andMe data breach (summarized below) involved unauthorized access to user accounts through credential stuffing, rather than a cyberattack on the 23andMe platform. The data of 6.9 million users was compromised in the attack, and the stolen data was sold on the dark web, including a dataset of individuals with Chinese and Ashkenazi Jewish heritage who appeared to have been specifically targeted.

Under the terms of the settlement, individuals whose data was compromised are entitled to receive a share of the settlement fund after litigation costs and attorneys’ fees have been deducted. The plaintiffs’ lawyers will receive between one-quarter and one-third of the settlement amount. In addition to a cash payment, class members will also be entitled to three years of complimentary monitoring services. The settlement is intended to resolve all U.S. claims regarding the 2023 credential stuffing attack and data breach.

23andMe denies all wrongdoing and liability but chose to settle the lawsuit to avoid further litigation and the uncertainty of trial and believes the settlement is “fair, adequate, and reasonable.” The plaintiffs’ attorneys have said the settlement addresses the main claims of their clients and avoids the significant risks of continuing litigation.

23andMe has been facing financial difficulties since the security incident. The company’s stock price has fallen from $10 a share when the company went public three years ago to less than $1 a share. 23andMe CEO Anne Wojcicki had offered to take the company private earlier this year but a special committee rejected the offer in early August. 23andMe warned that due to its current financial position, if there is any litigated judgment significantly more than the proposed settlement amount it would likely be uncollectable. The company said it faces parallel litigation in state court and private arbitration forums on behalf of tens of thousands of settlement class members.

Under the terms of the settlement, class members may submit claims for the following:

• An extraordinary claim for up to $10,000 to recover unreimbursed costs and expenditures related to the security incident. The costs can include losses due to identity theft, falsified tax returns, the costs of physical security or a monitoring system purchased in response to the security incident, and unreimbursed costs associated with professional mental health counseling or treatment as a result of the security incident. A cap of $5 million has been placed on these claims.
• If a resident of Alaska, California, Illinois, or Oregon at the time of the breach submits a statutory cash claim for $100, per the genetic privacy laws in those states.
• If health information was compromised, submit a claim for a $100 cash payment.
• All class members can enroll in Privacy & Medical Shield + Genetic Monitoring, which includes a password manager, medical record monitoring, and anti-phishing protection.

23andMe anticipates that around $25 million of the settlement amount will be covered by its cyber insurance policy. Class members can object to the settlement, exclude themselves to allow them to pursue their own legal case against 23andMe, or accept the settlement and submit a claim for their share of the settlement fund.

July 19, 2024: 23andMe Reaches Agreement in Principle to Settle Class Action Data Breach Lawsuit

23andMe has reached an agreement in principle to settle a class action lawsuit that was filed in response to a breach of customer data in 2023. The breach occurred in October 2023 and resulted in the theft of the data of approximately 6.9 million individuals, around half of its customers. There was no breach of 23andMe’s systems; instead, a threat actor conducted a credential stuffing attack, which allowed access to be gained to certain customer accounts. Around 14,000 individual accounts were compromised, around 0.1% of its customers.

When the breach was discovered, 23andMe placed the blame for the attack on customers’ poor security practices. The accounts could only be accessed as the affected customers had used the same username/password combinations that had been used to secure accounts on unrelated platforms. When those third-party platforms experienced data breaches and credentials were stolen, they could be used to access any other account where the credentials had been used, which in this case was 23andMe.

Data obtained from those accounts included uninterrupted raw genotype data, health predisposition reports, and carrier-status reports. The threat actor also exploited a 23andMe feature – DNA Relatives – which allows people to connect with their DNA relatives. Through that feature, the threat actor accessed the profile information of around 5.5 million 23andMe users as well as the Family Tree information of a further 1.4 million individuals. The threat actor then listed datasets for sale, including customers with Jewish and Chinese heritage.

More than 2 dozen lawsuits were filed against 23andMe over the data breach. The plaintiffs’ attorneys claimed that the datasets being offered for sale could be used as a hit list, allowing Jews to be targeted, and the Chinese dataset could be used by the intelligence agencies of the People’s Republic of China to target dissidents. While the 14,000 accounts were accessed due to customers’ password reuse, attorneys for the plaintiffs argued that 23andMe should have done more to protect users’ sensitive data.

They alleged that 23andMe should have been aware that a cyberattack was likely, and should have taken steps to reduce risk, and should have had proper data breach protocols in place. Further, the company should have notified customers with Jewish and Chinese heritage that the datasets had been made available and that they could potentially be targeted. The lawsuits also alleged that 23andMe lied about data security and had failed to implement protections in accordance with industry standards, then lied about the scope and severity of the breach.

At a court hearing on Tuesday, attorneys for the San Francisco-based company disclosed that a settlement had been agreed in principle to bring the litigation to an end. The company is finalizing the details and hopes to produce an executive term sheet in the next week and will then draft a full settlement agreement. “We have reached an agreement in principle for a full settlement of U.S. claims regarding the 2023 ‘credential stuffing’ security incident,” said 23andMe, in a statement provided to the San Francisco Business Times. “We believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”

Lawyers for the plaintiffs and class argued that under the Illinois Genetic Information Privacy Act, some of the class were owed up to $3 billion in damages. In its annual report, 23andMe disclosed that the company has around $216 million in cash, so any continued legal action to obtain substantial damages risked 23andMe filing for bankruptcy. The terms of the settlement have not yet been disclosed, but the settlement is likely to involve payment for dark web monitoring services and non-monetary relief. A hearing has been scheduled for July 30 for the court to be provided with an update on the term sheet, and a motion for preliminary approval of the proposed settlement is expected to be filed within a couple of months.

The post 23andMe Requests Bankruptcy Judge Approve Revised $50 Million Data Breach Settlement appeared first on The HIPAA Journal.

A lawsuit has been filed against Alphabet-owned Verily by a former employee who alleges that the personally identifiable health information of more than 25,000 patients was misused, and the company failed to report the HIPAA breaches, as required by the Health Insurance Portability and Accountability Act (HIPAA).

Verily, formerly Google Life Sciences, is a research organization owned by Google’s parent company, Alphabet. The Verily platform drives AI-powered precision health solutions that help pharmaceutical firms bring new therapies to market sooner and health systems and payers improve patient outcomes at a lower cost. The lawsuit alleges that an internal investigation confirmed HIPAA breaches involving HIPAA-protected data obtained from 14 HIPAA-regulated entities. The lawsuit claims patient data was used without authorization, in violation of the HIPAA Privacy Rule. Further, while the investigation uncovered misuses of patient data, Verily failed to disclose the breach, delaying notifications while contract renewals were negotiated with the affected covered entities, in violation of the HIPAA Breach Notification Rule.

The lawsuit was filed last year; however, it failed to be reported by the media until it was spotted by CNBC, which reported on the lawsuit last week. The lawsuit was filed by Ryan Sloan, a former chief commercial officer at Verily Onduo, Verily’s diabetes and hypertension business. The lawsuit is currently pending in the United States District Court for the Northern District of California in San Francisco, having survived a motion to dismiss or resolve the lawsuit through arbitration.

Sloan was hired by Verily in 2020 and was employed until he was terminated in January 2023. Sloan claims that he and Julia Feldman, general counsel at Onduo, discovered the HIPAA violations in January 2022 and reported them to senior management. Sloan claims that patient data was used for research, marketing campaigns, press releases, and national conferences, which are not uses permitted by the HIPAA Privacy Rule unless consent is obtained from patients.

Sloan claims that he and Feldman repeatedly raised the matter with senior management, and an internal investigation confirmed that there had been several HIPAA breaches of business associate agreements between Verily and HIPAA-covered entities, including Quest Diagnostics, Highmark Health, Walgreens Boots Alliance, and others. Despite the discovery of HIPAA breaches, Sloan alleges no notifications were issued.

He claims that during a contact negotiation between Verily and Highmark Health in August 2022, Verily misrepresented that it was fully compliant with the HIPAA Rules at all times, when the company knew that HIPAA violations had occurred, including with Highmark Health data. The lawsuit claims that Feldman was terminated later that month, along with another individual who was aware of the HIPAA breaches. Sloan was terminated in January 2023, which he claims was in response to repeatedly raising concerns about the HIPAA violations and the alleged cover-up of the HIPAA breaches.

There is no private cause of action under HIPAA, so individuals are not permitted to sue for HIPAA violations. Only the HHS’ Office for Civil Rights (OCR) and state attorneys general have the authority to take legal action for HIPAA violations. The lawsuit, Sloan v. Verily Life Sciences LLC, claims that Verily retaliated against Sloan after he raised the HIPAA violations in good faith, in breach of his employment contract. Verily denies the allegations.

“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” said a Verily spokesperson in a statement to CNBC. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously.  As this is an ongoing legal matter, Verily will not be providing further comment at this time.”

The post Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches appeared first on The HIPAA Journal.

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.

Weirton Medical Center in West Virginia has agreed to a settlement to resolve class action litigation over a January 2024 ransomware attack that involved the exfiltration of sensitive data from its network. Hackers had access to its computer network between January 14 and January 18, 2024, and used ransomware to encrypt files. Data stolen in the attack included names, dates of birth, Social Security numbers, health insurance information, and treatment information. The affected individuals were notified on March 18, 2024, and the data breach was reported to the HHS Office for Civil Rights as affecting 26,793 individuals.

Four class action lawsuits were filed in response to the data breach in the U.S. District Court for the Northern District of West Virginia, naming Trish Yano, Matthew Foltz, Leslie Telek, and Judy Mullins as plaintiffs. The lawsuits were consolidated into a single lawsuit – In re Weirton Medical Center Data Breach Litigation – on June 21, 2024. The lawsuit asserted claims of negligence and negligence per se for failing to protect sensitive data on its network from unauthorized access, as well as unjust enrichment, breach of implied contract, breach of confidence, and breach of fiduciary duty.

The lawsuit survived a motion to dismiss, and all parties filed a joint motion to stay proceedings pending mediation. Weirton Medical Center disagreed with all claims and contentions in the lawsuit; however, after a full day of mediation, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and resolves the litigation in its entirety, with no admission of liability or wrongdoing.

All class members are entitled to claim one of two cash payments and credit monitoring services. A claim may be submitted for reimbursement of actual documented, unreimbursed losses that were more likely than not caused by the data breach up to a maximum of $5,000 per class member.  Alternatively, class members may claim a cash payment of $50.00, without providing any documentation to prove losses.

All class members can claim one year of three-bureau credit monitoring services, which include identity theft protection and recovery services, and a $1,000,000 identity theft insurance policy. The deadline for exclusion from and objection to the settlement is October 6, 2025. Claims must be submitted by November 5, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025.

The post Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit appeared first on The HIPAA Journal.

CVS Health is facing a probe into potential HIPAA violations related to the alleged use of patient data for lobbying purposes to prevent the passing of a Louisiana state bill that could affect its business interests. The bill in question, House Bill 358 (HB 358), proposes several amendments to current pharmacy laws in Louisiana. One of the proposed amendments is prohibiting providers in the state from operating as both pharmacy benefit managers (PBMs) and individual pharmacies.

A pharmacy benefit manager is an intermediary between drug companies and pharmacies that negotiates prices with the drug companies on behalf of employers and health plans. They often also manage pharmacy networks and operate mail-order pharmacies. PMBs are facing increased scrutiny over their business practices. The Federal Trade Commission (FTC) alleged that major PBMs have inflated drug prices to increase company profits, negotiating lower prices from drug companies, then marking up the drug prices at their pharmacies. According to an FTC report earlier this year, between 2017 and 2022, UnitedHealth Group’s Optum, CVS Health’s CVS Caremark, and Cigna’s Express Scripts increased the prices of medications for heart disease, cancer, and HIV at their affiliated pharmacies, boosting revenues by $7.3 billion in excess of the acquisition costs of the medications.

Several states have passed laws to rein in PMBs and limit their influence on drug pricing, and reducing the costs of medications is a key priority for the Trump administration. CVS Health and Cigna have filed lawsuits attempting to overturn a law implemented in Arkansas to this effect, and CVS Health is alleged to have engaged in lobbying to prevent HB 358 from being passed in Louisiana. If the bill is signed into law, it would have serious implications for CVS Health, which operates as the PBM CVS Caremark, as well as 119 CVS pharmacies in the state of Louisiana.

Louisiana Attorney General Liz Murrill launched an investigation of CVS Health earlier this year after receiving reports alleging CVS Health had sent large numbers of text messages to state employees and their families to lobby against the proposed legislation. One of the texts informed the recipients that if the bill is signed into law, their CVS Pharmacy could close, medication costs could rise, and their pharmacist could lose their job.

The texts included a link to a draft letter to lawmakers calling for them to reject the legislation. “The proposed legislation would take away my and other Louisiana patients’ ability to get our medications shipped right to our homes,” the letter read. “They would also ban the pharmacies that serve patients suffering from complex diseases requiring specialty pharmacy care to manage their life-threatening conditions, like organ transplants or cancer. These vulnerable patients cannot afford any disruption to their care – the consequences would be dire.” CVS Health has been accused of lying and using scare tactics to oppose the bill, which CVS Health denies.

In late June, AG Murrill filed three lawsuits against CVS Health alleging unfair, deceptive, and unlawful practices, which have harmed Louisiana patients, independent pharmacies, and the public at large. According to CVS Health spokesperson Any Thibault, the bill was proposed with no public hearing. “We believe we had a responsibility to inform our customers of misguided legislation that sought to shutter their trusted pharmacy, and we acted accordingly,” Thibault said. “Our communication with our customers, patients and members of our community was consistent with law.”

Now, a probe has been launched by two Republican lawmakers in response to the allegations that patient data was used for lobbying purposes, potentially in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. House Committee on Oversight and Government Reform Chairman James Comer (R-KY) and Subcommittee on Federal Law Enforcement Chairman Clay Higgins (R-LA) wrote to CVS Health President and CEO David Joyner, demanding answers about how patient data has been used.

“This text message campaign raises ethical and potential legal issues if indeed CVS Pharmacy used confidential patient information, obtained through a state contract, to lobby against H.B. 358,” wrote the lawmakers. “The inflammatory and misleading text messages—which included threats of pharmacy location closures, increased prescription costs, and loss of service providers—sought to encourage CVS Pharmacy customers to contact Louisiana lawmakers to oppose the bill. This is concerning because CVS Pharmacy must comply with the Health Insurance Portability and Accountability Act (HIPAA) to access confidential patient information.”

The lawmakers explained in the letter that the HIPAA Privacy Rule does not expressly permit the use of patient data for political advocacy or lobbying, and that patient authorization would be required for such uses, pointing out that it appears that the mass texting capabilities used by CVS Health pharmacies for notifying patients about prescription updates and other individualized patient information has been used in a matter that may have violated HIPAA.

The lawmakers have requested documentation and copies of communications related to the use of patient and customer personal health information for the purposes of political advocacy or lobbying in Louisiana and all other states from January 1, 2020, to the present. They require a response by September 18, 2025.

The post CVS Health Faces HIPAA Probe Over Alleged Use of Patient Data for Lobbying and Political Advocacy appeared first on The HIPAA Journal.

Morris Hospital & Healthcare Centers has agreed to settle a consolidated class action lawsuit that alleged negligence for failing to prevent an April 2023 data breach that affected 248,943 individuals. Under the terms of the settlement agreement, Morris Hospital will establish a $1,361,571.77 settlement fund to cover attorneys’ fees, legal expenses, and benefits for the class members.

In April 2023, Morris Hospital identified unauthorized access to its network. Hackers had access to the personal and protected health information of current and former patients, employees, and their dependents and beneficiaries.  The Royal ransomware group was behind the attack and posted the stolen data on its data leak site. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois – In re: Morris Hospital Data Breach Litigation. In addition to negligence, the lawsuit asserted claims of negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Morris Hospital denies all allegations of wrongdoing and liability, while the plaintiffs believe the claims have merit. All parties agreed to a settlement, which was viewed as being in the best interests of all parties considering the risks and costs of continuing with the litigation. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 24, 2025. Benefits for class members will be paid after all costs and expenses have been deducted from the settlement fund, which includes up to $453,857.26 for attorneys’ fees, $2,000 service awards for each of the 13 named plaintiffs, and yet to be determined settlement administration costs, and attorneys’ expenses.

All class members may submit a claim for 24 months of comprehensive credit monitoring and identity theft protection services through CyEx Medical Shield Total. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. If a claim for losses is not submitted, class members may instead claim a pro rata cash payment, which is expected to be approximately $100, depending on the number of claims received. Further information can be found on the settlement website: https://www.morrishospitalsettlement.com/

Individuals wishing to object to or be excluded from the settlement have until September 29, 2025, to do so, and all claims must be submitted by October 28, 2025.

The post Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement appeared first on The HIPAA Journal.