Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026.

The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information.

The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 545,491 individuals. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute – in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga.

According to the lawsuit, approximately 460,000 individuals had their private information exposed or stolen in the incident, including 287,000 individuals who had their Social Security numbers exposed. The plaintiffs alleged that Chattanooga Heart Institute negligently maintained patient data and had not implemented appropriate safeguards to prevent unauthorized access, claims strenuously denied by the Chattanooga Heart Institute. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, bailment, breach of fiduciary duty, invasion of privacy, and declaratory and injunctive relief.

Chattanooga Heart Institute sought to have the lawsuit dismissed; however, the request was denied in part, and the lawsuit was allowed to proceed. During discovery, the parties began exploring the possibility of an early resolution, and following mediation, agreed upon the material terms of a settlement. The settlement has now been finalized, with no admission of wrongdoing or liability by the Chattanooga Heart Institute. The defendant will establish a $3,750,000 settlement fund, which will be split into two separate funds – a non-revisionary $2,000,000 fund for the Social Security number subclass and up to $1,750,000 fund for the total class.

All class members may claim two years of credit monitoring services, valued at approximately $120 per year. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,500 per class member. A cash payment may also be claimed by members of the Social Security number settlement class. The cash payments will be paid pro rata after the settlement administration costs, a share of the attorneys’ fees and expenses, and service awards for the class representatives have been deducted. The attorneys’ fees and costs will be divided between the Social Security number class (53%) and the total class fund (47%). The deadline for submitting a claim is July 13, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 12, 2026.

The post $3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute appeared first on The HIPAA Journal.

Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals.

IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class.

The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. A further seven lawsuits were filed by other plaintiffs, which were consolidated into a single complaint because the lawsuits had overlapping claims. The consolidated class action lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant denied and continues to deny all claims and contentions in the lawsuit, including all claims of fault, wrongdoing, and liability. Following mediation, the material terms of a settlement were agreed upon to bring the litigation to an end and avoid the costs and distraction of protracted litigation and the uncertainty of a trial. The settlement has now been finalized and granted preliminary approval from the court. The final fairness hearing has been scheduled for July 1, 2026.

The defendant has agreed to establish a $4 million settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards from the class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members. Class members are entitled to two years of medical data monitoring, reimbursement of out-of-pocket losses due to the data breach, and a pro rata cash payment. Class members may claim reimbursement of up to $5,000 in documented, unreimbursed losses and the cash payments are estimated to be $50 per class member, although the cash payments may be higher or lower depending on the number of claims received. The deadline for submitting a claim is July 1, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 1, 2026.

The post Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M appeared first on The HIPAA Journal.

Anne Arundel Dermatology has agreed to pay $2,400,000 to settle a consolidated class action lawsuit stemming from a cybersecurity incident involving unauthorized access to its network for three months in 2025. Anne Arundel Dermatology identified suspicious activity within its computer network on May 13, 2025. The forensic investigation confirmed that an unauthorized third party had access to its network between February 14, 2025, and May 13, 2025. It was not possible to determine if patient data was accessed or exfiltrated in the attack, so notification letters were sent to 1,905,000 current and former patients who may have been affected. Information potentially compromised included names, addresses, birth dates, medical information, health insurance information, and other personal information.

Many class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, the 21 lawsuits were consolidated into a single action – In Re Anne Arundel Data Breach Litigation – in the U.S. District Court for the District of Maryland. The consolidated lawsuit alleged that Anne Arundel Dermatology negligently maintained sensitive data and failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, breach of contract, breach of fiduciary duty, unjust enrichment, and intentional invasion of privacy, all of which were denied by the defendant, along with claims of wrongdoing, fault, and liability.

Class counsel explored the opportunity for an early resolution of the litigation, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for July 16, 2026. Anne Arundel Dermatology has agreed to establish a $2.4 million settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members are entitled to claim a 3-year membership to the CyEx Medical Shield Complete product, which provides medical data monitoring, and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or an alternative pro rata cash payment may be claimed, which is estimated to be $100 but may be higher or lower depending on the number of valid claims received. The deadline for opting out and objection is June 9, 2026, and claims must be submitted by July 8, 2026.

The post Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Concord Orthopaedics Professional Association, a New Hampshire-based provider of comprehensive orthopedic and rheumatology care, has settled a consolidated class action lawsuit stemming from a November 2024 cybersecurity incident involving unauthorized access to the personal and protected health information of 72,815 individuals.

Concord Orthopaedics detected an intrusion on November 21, 2024. Hackers had gained access to its computer network, where names, dates of birth, Social Security numbers, appointment information, health insurance information, and driver’s license/state identification numbers were stored. The affected individuals started to be notified about the incident on March 25, 2025.

The first class action lawsuit was filed by plaintiff Kattie Montambeault on April 1, 2025, in the Merrimack County Superior Court for the State of New Hampshire. A further four class action complaints were filed in response to the data breach, which were consolidated into a single action – Montambeault, et al. v. Concord Orthopaedics Professional Association – in the Superior Court of Hillsborough County, New Hampshire. The consolidated class action complaint names 12 individuals as class representatives.

The lawsuit alleged that Concord Orthopaedics failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data stored on its network, and that, as a result of that failure, the plaintiffs’ and class members’ personal and protected health information was accessed by hackers.

Concord Orthopaedics agreed to a settlement to resolve all claims asserted in the lawsuit with no admission of wrongdoing, fault, or liability. Class counsel and the class representatives believe that the settlement is fair, and the settlement has received preliminary approval from the court. The settlement provides multiple benefits for the class members. All class members are entitled to a one-year membership to a medical data monitoring service, and may also submit a claim for the following benefits:

• Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member
• Reimbursement of lost time of up to 4 hours at $25 per hour (maximum of $100)

In addition to or instead of a claim for reimbursement of out-of-pocket losses, class members may submit a claim for a one-time cash payment, which is estimated to be $50, but may be higher or lower depending on the number of valid claims received. Individuals submitting a claim for reimbursement of lost time are not eligible to claim the one-time cash payment.

The deadline for objection to the settlement and exclusion is May 26, 2026. The deadline for submitting a claim is July 8, 2026, and the final fairness hearing has been scheduled for June 23, 2026

The post Settlement Agreed to Resolve Class Action Data Breach Litigation Against Concord Orthopaedics appeared first on The HIPAA Journal.

A $1,450,000 settlement has been agreed upon to resolve a class action lawsuit against the New York orthopedic medicine and surgery practice OrthopedicsNY. The class action complaint was filed in response to a December 2023 ransomware attack and data breach that exposed the personal and electronic protected health information of 656,086 patients.

OrthopedicsNY, which operates almost 20 clinics in the Capital Region in New York State, was attacked by the INC Ransom threat group on or around December 28, 2023. Prior to encrypting files, INC Ransom exfiltrated sensitive patient data, including names, contact information, financial information, protected health information, Social Security numbers, passport numbers, and driver’s license numbers. The affected individuals were notified on November 4, 2024.

Several class action lawsuits were filed in response to the data breach, which were consolidated in a single action – Michael Sayers, et al. v. OrthopedicsNY, LLP – in the Circuit Court of the 17th Judicial Circuit in and for Broward County, Florida. The plaintiffs alleged that the defendant promised to protect their sensitive personal and health information but failed to do so, resulting in a ransomware attack and the theft of their data. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.

OrthopedicsNY agreed to a settlement to avoid the cost and time of protracted litigation and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and that accepting the settlement is in the best interests of class members. Under the terms of the settlement, OrthopedicsNY has agreed to establish a $1,450,000 settlement fund to cover attorneys’ fees and expenses, notification and administration costs, and service awards for the 12 named class representatives. After covering those costs, the remainder of the settlement fund will be used to pay for benefits to the class members.

Class members may claim one of two cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or they may claim an alternative cash payment, which is anticipated to be $50 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection, opting out, and submitting a claim is June 15, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 30, 2026.

In addition to the class action settlement, OrthopedicsNY previously settled an investigation by the New York Attorney General and paid a $500,000 financial penalty. The New York Attorney General determined that OrthopedicsNY failed to implement reasonable and appropriate cybersecurity measures to secure patient data, in violation of federal and state laws. In addition to the financial penalty, OrthopedicsNY agreed to implement and maintain a comprehensive information security program and several cybersecurity measures to bolster security and offer the affected individuals one year of complimentary credit monitoring services.

The post OrthopedicsNY Settles Class Action Data Breach Lawsuit for $1.45M appeared first on The HIPAA Journal.

Cardiovascular Consultants in Arizona has settled a class action lawsuit stemming from a 2023 data breach involving the protected health information of 484,000 individuals. The data breach was detected on September 29, 2023, and the forensic investigation determined that a hacker had gained access to its network two days previously. Files containing patient information were exfiltrated before ransomware was used to encrypt files.

The compromised files contained patient and guarantor information, including names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Notification letters were mailed on December 2, 2023.

A class action complaint was filed in December 2023 by plaintiffs Michele Stroup and Georgios Asimakopoulos, and additional plaintiffs later joined the litigation as class representatives. The defendant denied all claims in the lawsuit and sought to have the lawsuit dismissed. That attempt was only partially successful, with a judge granting and denying the motion to dismiss in part. An amended complaint – Stroup, et al. v. Cardiovascular Consultants Ltd. – was filed, which is pending in the Superior Court of the State of Arizona, County of Maricopa.

The lawsuit alleged that the defendant failed to implement reasonable security protections to safeguard its information systems and databases, and that the handling of the data breach was deficient, with notifications unreasonably delayed. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy, all of which were denied by the defendant.

Following mediation, a settlement was agreed that was acceptable to all parties, allowing them to avoid further litigation costs and the uncertainty of a trial. Under the terms of the settlement, Cardiovascular Consultants has agreed to establish a $3,850,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees and expenses, notice and administration costs, and service awards for the class representatives.

The remainder of the settlement fund will be used to pay benefits to the class members. Class members may claim two years of medical monitoring plus one or two cash payments – a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member and/or a pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 18, 2026. Individuals wishing to object to the settlement or exclude themselves must do so by June 1, 2026. The deadline for submitting a claim is July 1, 2026.

The post Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the February 2024 ransomware attack that resulted in the theft of the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.

AG Bird accuses the defendants of making false representations about their cybersecurity practices and systems before and after the cyberattack. AG Bird claims the defendants played down the seriousness of the incident in the February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), which stated that a suspected nation state actor had gained access to some of its information systems and that the affected systems had been isolated.

AG Bird said what was described as a relatively benign isolation of systems was in fact the largest healthcare data breach in U.S. history, and one of the largest data breaches of any kind in the United States. “The breach and subsequent shutdown of services, without warning and without adequate backup and redundancies, was so great that it sent the entire U.S. healthcare system into a virtual meltdown,” AG Bird stated in the lawsuit.

Cybercriminals have long targeted U.S. healthcare organizations, and given the high volume of attacks, the defendants should have known that they would be a huge target for cybercriminals, given the volume of sensitive data that flowed through Change Healthcare’s systems and the impact a ransomware attack would have. Despite this, AG Bird alleged that the measures implemented were insufficient and did not match the standards claimed by the defendants. AG Bird alleged that the Change Healthcare cyberattack and data breach “occurred because Change’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies—in violation of Change’s advertised practices, company policies, federal privacy requirements, and basic standards of enterprise information security.”

According to the lawsuit, following a Congressional inquiry into the incident, and over the course of many months, “it became clear that defendants materially misrepresented the quality and characteristics of their cybersecurity systems to Iowans and to Iowa healthcare providers, in violation of Iowa law.” In addition to failing to adequately secure its systems and sensitive data, AG Bird took issue with the time taken to notify the affected individuals, some of whom only learned that their data had been compromised 20 months after their data was stolen.

The lawsuit asserts claims of violations of the Iowa Consumer Fraud Act, Iowa Code, and the Personal Information Security Breach Protection Act. The lawsuit seeks civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7), civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act, for all moneys or property acquired in violation of the Iowa Consumer Fraud Act to be disgorged to the Attorney General, and awards of damages on behalf of all persons injured due to the violations of the Iowa Personal Information Security Breach Protection Act. Further, the lawsuit seeks to enjoin the defendants from continuing to commit further unlawful practices pursuant to Iowa Code.

The post Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack appeared first on The HIPAA Journal.

Eye Physicians of Central Florida has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 31,000 patients. Eye Physicians of Central Florida identified suspicious activity within its computer network on November 5, 2023, and confirmed access by an unauthorized third party. The data breach affected 31,189 patients, according to the breach notice submitted to the HHS’ Office for Civil Rights (OCR).

The hackers gained access to systems containing names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

A class action lawsuit – Connell v. Eye Physicians of Central Florida, P.L.C. – was filed in the Circuit Court for Orange County, Florida, by plaintiff Alisa Connell individually and on behalf of similarly situated individuals who had data exposed in the incident. Eye Physicians of Central Florida sought to have the lawsuit dismissed, and was partially successful, although the lawsuit was allowed to proceed, and the plaintiff filed an amended complaint asserting claims for negligence and breach of fiduciary duty.

The lawsuit was actively litigated for 18 months, then all parties engaged in private mediation, resulting in a settlement that was agreeable to all parties. Eye Physicians of Central Florida maintains there was no wrongdoing, believes there is no liability, and denies and continues to deny all claims and allegations in the lawsuit.

The settlement provides multiple benefits for the class members. Class members are entitled to claim two years of credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach and attested lost time of up to three hours at $25 per hour. Claims for reimbursement of losses are capped at $2,000 per class member for ordinary losses and $7,500 for extraordinary losses. There is no alternative cash payment.

The post Eye Physicians of Central Florida Data Breach Settlement appeared first on The HIPAA Journal.

A settlement has been reached to resolve class action data breach litigation against Excelsior Orthopaedics and Buffalo Surgery Center. The lawsuit was filed in response to a 2024 data breach that affected hundreds of thousands of patients. On or around June 23, 2024, Amherst, New York-based Excelsior Orthopaedics identified suspicious network activity, and its forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The data breach also affected Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center.

Excelsior Orthopaedics reported the data breach to the HHS’ Office for Civil Rights as affecting 394,752 individuals, and Buffalo Surgery Center reported the breach as affecting 64,000 of its patients. The hackers obtained names, demographic information, driver’s license numbers, Social Security numbers, medical information, health insurance information, and financial information. The affected individuals were notified on December 31, 2024.

Multiple class action lawsuits were filed against Excelsior Orthopaedics and Buffalo Surgery Center over the data breach. The lawsuits were consolidated – Szucs et al. v. Excelsior Orthopaedics, LLP et al. – in the Supreme Court of the State of New York, County of Erie. The consolidated lawsuit alleged that the plaintiffs and class members suffered multiple injuries as a result of the data breach, and that those injuries were caused as a result of the “defendants’ failures to properly secure, safeguard, encrypt, and/or timely and adequately destroy Plaintiffs’ and Class Members’ sensitive personal identifiable and health information.”

The lawsuit alleged that the defendants failed to comply with industry standards for cybersecurity, FTC guidelines, and their obligations under HIPAA. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of the New York Deceptive Acts and Practices Act.

The defendants deny all claims and contentions in the lawsuit and deny any wrongdoing or liability; however, the defendants and the plaintiffs agreed that a settlement was the best outcome to avoid the costs of protracted litigation and the uncertainty of trial. Under the terms of the settlement, the defendants agreed to pay $2,400,000 to settle the lawsuit, from which attorneys’ fees and expenses, notification and settlement costs, and service awards for the 9 named plaintiffs will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.

Those benefits include two years of three-bureau credit monitoring services, the code for which will be automatically sent to the class members, without having to submit a claim. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, if a claim for reimbursement of losses is not submitted, class members may claim a cash payment. The cash payments will be paid pro rata, and the value will depend on the remaining settlement funds. The deadline for objection to the settlement and exclusion is May 17, 2026. Claims must be submitted by June 11, 2026, and the final fairness hearing has been scheduled for July 8, 2026.

The post Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.