Legal News about HIPAA Compliance

Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit

Charlotte-Mecklenburg Hospital Authority, doing business as Atrium Health, has agreed to pay up to $1,800,000 to settle a class action lawsuit stemming from its use of pixels and other tracking technologies on its MyAtriumHealth (formerly called MyCarolinas) patient portal.

North Carolina-based Atrium Health operates a dozen hospitals in North and South Carolina, along with more than 900 care facilities in the two states. Like many health systems, Atrium Health used tracking technologies on its patient portal. These tools have important uses for website operators; however, their use on healthcare websites risks impermissible disclosures of sensitive data.

When these tools are added to authenticated web pages such as patient portals, patients’ protected health information may be disclosed to the third-party providers of the tools, such as Meta (Facebook) and Google. Following an investigation, Atrium Health determined that between January 1, 2015, and July 31, 2019, the protected health information of up to 585,959 patients may have been impermissibly disclosed to third parties as a result of the use of these tools. When reporting the data breach, Atrium Health assumed that all patients who used the portal had their ePHI impermissibly disclosed.

The data potentially compromised included IP addresses and third-party identifiers/cookies. If forms were filled out, that disclosed information may also have included full names, email addresses, phone numbers, city/state/zip code, gender, and any other information entered into the forms.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Julie Roberts, et al. v. The Charlotte-Mecklenburg Hospital Authority – in the Superior Court of Mecklenburg County, North Carolina, naming Julie Roberts, Judith Sigmon, Darielle Hill, and Chrisanna Brown as representatives of a national class.

The plaintiffs alleged that their privacy had been violated by the defendant’s use of these tools, which they claim were added to the patient portal without their knowledge or consent. The lawsuit asserted claims for breach of express contract, breach of implied duty of good faith and fair dealing, breach of implied contract, negligence, breach of fiduciary duty, and unjust enrichment.

Atrium Health denies all wrongdoing and maintains it has not violated any laws and filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed. The parties ultimately agreed to a settlement to avoid the costs and risks associated with continuing the litigation.

The settlement covers all individuals residing in the United States who had patient portal accounts – MyAtriumHealth or MyCarolinas – between January 1, 2025, and April 10, 2024, with limited exceptions. Atrium Health has agreed to establish a $1,800,000 settlement fund, from which $1,500,000 will be used to cover attorneys’ fees and expenses, administration costs (for Group 1 claims), and payments to individuals who used their accounts between January 1, 2015, and July 31, 2019.

The settlement also includes up to $300,000 to pay for claims from individuals who had a Patient Portal account between January 1, 2015, and April 10, 2024, but did not access their account between January 1, 2015, and July 31, 2019. (Group 2). The remainder of the funds in the Group 1 settlement will be paid pro rata to individuals who submit a claim, and individuals in Group 2 will receive a payment of up to $10 if they submit a claim. The deadline for opting out and objection is August 31, 2026. Claims must be submitted by September 28, 2026, and the final fairness hearing has been scheduled for September 30, 2026.

The post Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit appeared first on The HIPAA Journal.

Vision Care Providers Settle Data Breach Class Actions

Settlements have been agreed to resolve class action lawsuits against two vision care providers: Total Vision in California and Naper Grove Vision Care in Illinois. Both providers fell victim to hacking incidents that exposed patient data.

Total Vision Settlement

A settlement has been agreed to resolve class action litigation against Total Vision LLC, which owns and operates a network of optometry centers throughout California. Total Vision experienced a hacking incident on or around October 30, 2020, in which hackers accessed a database server. The server contained sensitive patient information such as names, addresses, dates of birth, Social Security numbers, and prescription information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 138,402 current and former patients.

Total Vision faced two class action lawsuits over the data breach, which were consolidated into a single complaint – Ramey, et al. v. Total Vision, LLC, et al. – in the Superior Court of California, County of San Diego, naming Anjanette Ramey and Jane Doe as class representatives. In addition to Total Vision, John C. Pack, O.D., and Beverly Bianes, O.D., Inc., and John C. Pack, O.D., and Beverly Bianes, O.D., were named as defendants.

The lawsuit alleged the data breach occurred as a result of the negligence of the defendants, who failed to properly secure the server and protect patient information, then failed to issue adequate breach notices. The plaintiffs allege that they experienced numerous instances of attempted data misuse and identity theft as a result of the security incident. The lawsuit asserted claims for negligence, breach of implied contract, and violations of California’s unfair competition law, the Confidentiality of Medical Information Act, and California security notification laws, all of which were denied by the defendants, along with the allegations of wrongdoing and liability.

During mediation on November 21, 2023, the terms of a settlement were agreed by all parties, and the settlement has now been finalized and has received preliminary approval from the court. The defendants have agreed to establish a $475,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remaining funds will be used to pay for class member benefits.

Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,000 per class member, and/or a claim may be submitted for a pro rata cash payment, the value of which will depend on the number of valid claims received. The defendants have also agreed to implement improved data security measures, valued at $224,000. The exclusion/objection deadline is September 4, 2026. Claims must be submitted by October 5, 2026, and the final fairness hearing has been scheduled for December 18, 2026.

Naper Grove Vision Care Settlement

Naper Grove Vision Care in Naperville, Illinois, has settled class action litigation stemming from a May 2025 security incident that involved unauthorized access to the protected health information of 20,093 individuals. On May 24, 2025, Naper Grove Vision Care identified unauthorized network access. The Interlock ransomware group claimed responsibility for the attack and obtained patient information such as names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. Some Social Security numbers were also among the accessed data.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – In re Naper Grove Data Breach Litigation – in the Circuit Court of the Eighteenth Judicial Circuit, Dupage County, Illinois. The consolidated lawsuit names Ashley Fett and Paul Mifsud as class representatives. The lawsuit alleged that the data breach occurred due to the failure to implement reasonable and appropriate cybersecurity measures, and asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. All claims and contentions continue to be denied by Naper Grove Vision Care.

All parties have agreed to settle the litigation, with no admission of fault, liability, or wrongdoing. The defendant will cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives.  Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member.

If a claim for reimbursement of losses is not submitted, class members may submit a claim for an alternative cash payment. The cash payments will be paid pro rata from a $50,000 settlement fund. Regardless of which option is chosen, class members qualify for a one-year membership to a credit and medical data monitoring service. The deadline for objection/exclusion is September 18, 2026. Claims must be submitted by September 18, 2026, and the final approval hearing has been scheduled for October 20, 2026.

The post Vision Care Providers Settle Data Breach Class Actions appeared first on The HIPAA Journal.

Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement

Physicians Primary Care of Southwest Florida was the victim of a targeted cyberattack in September 2024 that exposed patient data. The data breach sparked a class action lawsuit alleging the breach could have been prevented, as Physicians Primary Care of Southwest Florida failed to implement reasonable and appropriate security measures to prevent unauthorized access to patient data in its possession.

Physicians Primary Care of Southwest Florida is a medical facility with offices in Fort Myers, Cape Coral, Estero, and Lehigh Acres, Florida, that specializes in internal medicine, obstetrics, gynecology, family practice, and pediatrics. On or around September 17, 2024, unauthorized access to its network was identified. The hackers behind the attack had access to the network from September 15, 2024, to September 17, 2024, and potentially viewed or obtained patient data such as names, health information, and Social Security numbers. The data breach was reported to the HHS’ Office for Civil Rights as affecting 170,653 individuals.

The first lawsuit over the data breach was filed on December 3, 2024, in the Circuit Court of the Twentieth Judicial Circuit. An amended complaint was filed on March 7, 2025, in the Circuit Court for Lee County, Florida, naming two alternative plaintiffs, as the plaintiff who filed the initial complaint was determined not to be a putative class member.

The lawsuit – Cirillo et al. v. Physicians Primary Care of Southwest Florida, P.L. – asserted claims for negligence, breach of implied contract, breach of fiduciary duty, violation of the Florida Deceptive and Unfair Trade Practices Act, and declaratory judgment. Physicians Primary Care of Southwest Florida denies wrongdoing and liability and disagrees with the claims and contentions asserted by the lawsuit.

Shortly after the amended complaint was filed, the parties began exploring the possibility of an early resolution. A settlement was not agreed upon during mediation, but after several months of negotiations, terms were agreed that were acceptable to all parties. The settlement class consists of all living adults in the United States who received a notification that the data breach involved their information.

Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. There is no alternative cash payment; however, all individuals are eligible to enroll in two years of medical monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 14, 2026. Individuals wishing to object to the settlement or opt out must do so by August 30, 2026. Claims must be submitted by September 29, 2026

The post Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement appeared first on The HIPAA Journal.

Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation

A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.

Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.  The affected individuals were notified about the data breach in  January 2025, 15 months after the breach occurred.

A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.

After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.

Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.

The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack

A settlement has been agreed to resolve a class action lawsuit against the Pinehurst, North Carolina-based molecular, cytology, and pathology service provider Marlboro-Chesterfield Pathology, P.C. The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.

Unauthorized network access was identified on January 16, 2025, and the forensic investigation confirmed that 235,911 individuals had their data compromised in the attack, including their names, dates of birth, Social Security numbers, and protected health information. The affected individuals were notified about the incident on or around May 7, 2025.

A class action lawsuit – Cox v. Marlboro-Chesterfield Pathology, P.C – was filed in the County of Moor Superior Court by plaintiff Cox, individually and on behalf of similarly affected individuals. Plaintiff Cox alleged that her personal and protected health information was in the hands of cybercriminals as a result of the attack, and that the ransomware attack occurred as a result of the failure of Marlboro-Chesterfield Pathology to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network.

Marlboro-Chesterfield Pathology maintains there was no wrongdoing and disagrees with the claims and contentions in the lawsuit, including claims of fault and liability, and plaintiff Cox believes her claims are valid. After arms-length negotiations, and after the parties considered the costs and risks associated with continuing with the litigation, they entered into settlement discussions, and the material terms of a settlement were agreed on November 21, 2025.

The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notice costs, and a service award for the class representative. Attorneys’ fees and costs have been capped at $100,000.

Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. Individuals who had their Social Security numbers compromised in the incident may submit a claim for an alternative cash payment of $10, should they choose not to submit a claim for reimbursement of losses.

All individuals, regardless of whether they submit a claim for reimbursement of losses or the cash payment, are entitled to a one-year membership to a credit monitoring and identity theft protection service, which includes a $1 million identity theft insurance policy. The deadline for objection, opting out, and submitting a claim is August 21, 2026. The final fairness hearing has been scheduled for October 12, 2026.

The post Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack appeared first on The HIPAA Journal.

Memorial Healthcare Services Settles Pixel Litigation

Memorial Healthcare Services, a nonprofit healthcare provider serving patients in Southern California, has agreed to settle a class action lawsuit over its use of pixels and other tracking, web analytics, and advertising technologies on its website.

The tools are alleged to have been added to the website without the knowledge or consent of patients, causing website users’ personally identifiable information (PII) to be collected and transferred to third parties.  The disclosures of PII and health information without consent are alleged to have violated the  California Invasion of Privacy Act. Memorial Healthcare Services maintains that there was no wrongdoing.

The lawsuit – Valladolid v. Memorial Health Services – was filed by plaintiff Michelle Valladolid in the Superior Court of California, County of Los Angeles, individually and on behalf of similarly situated individuals. After considering the likely cost of continuing with the litigation and risks associated with a trial and related appeals, the defendant and plaintiff agreed to settle the litigation.

The parties were not able to agree to the terms of a settlement during a full-day mediation session on April 3, 2025; however, through ongoing negotiations, the material terms of a settlement were agreed upon, and the terms have now been finalized. The proposed settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 17, 2026. The class consists of individuals who accessed the Memorial Health Services patient portal between March 7, 2022, and July 8, 2022.

Under the terms of the settlement, class members may claim a one-time cash payment, which will be paid pro rata from the $750,000 settlement fund. The defendant has agreed to cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the class representative, which will be deducted from the settlement fund before any cash payments are made. The remaining funds will be shared equally between all class members who submit a valid claim.

Individuals wishing to object to the settlement must do so by July 15, 2026. The deadline for opting out is August 21, 2026, and claims must be submitted by August 21, 2026. Further information can be found on the settlement website: https://mhspixelsettlement.com/

The post Memorial Healthcare Services Settles Pixel Litigation appeared first on The HIPAA Journal.

Calibrated Healthcare Settles Class Action Data Breach Lawsuit

Calibrated Healthcare Systems, LLC, and Calibrated Healthcare, LLC, have agreed to settle a class action lawsuit stemming from a February 2024 security incident that exposed patient information.

Calibrated Healthcare identified a security incident on February 26, 2024, and its investigation determined that there had been unauthorized access to its network between February 25, 2024, and February 26, 2024. While data theft was not confirmed, Calibrated Healthcare said data theft was likely. Data compromised in the incident included names, dates of birth, medical diagnosis/treatment information, and health insurance information.

The data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 6,890 individuals, and the affected individuals were notified on or around August 2, 2024. Two putative class action lawsuits were filed in response to the data breach: Adams v. Calibrated Healthcare Systems, LLC, et al and Holden v. Calibrated Healthcare, LLC, which were consolidated in the District Court for the Central District of California, Southern Division – Adams, et al. v. Calibrated Healthcare Systems, LLC, et al.

The consolidated lawsuit alleged that the data breach was due to the defendants’ negligence and should have been prevented. The lawsuit asserted claims for negligence, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Unfair Competition Law Bus. & Prof. Code for unlawful, fraudulent, and unfair business practices, violation of the California Consumers Legal Remedies Act, and violation of the California Consumers Legal Remedies Act.

The defendants deny all claims and contentions in the lawsuit, including claims of fault, wrongdoing, and liability. The parties attended mediation, and while a settlement was not agreed during mediation, settlement negotiations continued, and a settlement acceptable to all parties has now been agreed. The settlement has received preliminary approval from the court.

While the OCR breach portal still lists the incident as involving the protected health information (PHI) of 6,890 individuals, there are 34,562 individuals in the settlement class. The settlement provides all class members with two years of medical monitoring and identity theft insurance services, and a monetary payment of between $21.44 and $28.68, depending on the number of valid claims received for reimbursement of out-of-pocket costs and lost time.

Class members may claim up to seven hours of documented lost time due to the data breach at $25 per hour (Maximum $175 per class member). A claim may also be submitted for reimbursement of documented losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Claims must be submitted by July 9, 2026, and the final fairness hearing has been scheduled for August 13, 2026.

The post Calibrated Healthcare Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack

A consolidated class action lawsuit against the medtech company Stryker over a March 2026 cyberattack has been voluntarily dismissed by the plaintiffs, shortly after Stryker filed a motion to dismiss the lawsuit, alleging a lack of standing.

The Iranian hacktivist group Hamdala targeted Stryker in response to the military action in Iran by the United States and Israel. The hackers breached certain Stryker systems, stole around 50 terabytes of data, and permanently erased 12 petabytes of data on around 200,000 company devices. The attack caused considerable disruption, taking systems out of action for weeks.

Eight current and former Stryker employees took legal action against the company alleging that their personal information was compromised in the attack. The lawsuits started to be filed within hours of Stryker announcing the cyberattack, before Stryker had completed its investigation. While a significant amount of data was stolen in the attack, Stryker said its forensic investigation found no evidence to suggest that any of the plaintiffs’ data was compromised.

Stryker searched for the plaintiffs’ personally identifiable information (PII) in the compromised files and found the business email addresses of two of the plaintiffs, but no PII. None of the plaintiffs received a notification from Stryker informing them that their PII was involved, but despite that, the plaintiffs took legal action against the company seeking to represent a class of individuals whose PII was compromised. On June 22, 2026, Stryker filed a motion to dismiss the class action litigation.

In its motion to dismiss, Stryker said the employees started filing lawsuits 48 hours after the cyberattack was announced on March 11, 2026, and that they speculated that their names, Social Security numbers, unspecified financial account information, unspecified health insurance information, and unspecified driver’s license information were compromised in the incident. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, breach of confidence, and declaratory judgment.

Stryker said the plaintiffs vaguely alleged that they had been injured as a result of the incident; however, those injuries were theoretical. Six of the plaintiffs alleged that their PII had been misused, speculating that it was due to the cyberattack on Stryker, but they failed to allege sufficient detail to link the misuse of their data to the Stryker cyberattack. Stryker determined that their PII had been exposed in numerous prior data breaches, including their Social Security numbers. Two of the plaintiffs had their PII exposed in at least 20 prior data breaches.

Stryker maintains that the incident did not involve devices or systems connected to its customers, although the attack did impact its electronic ordering system and other related systems used by its clients. The cyberattack has been reported to the U.S. Securities and Exchange Commission (SEC); however, the company has not issued breach notifications to the HHS’ Office for Civil Rights or state attorneys general at the time of publication.

The eight class action lawsuits filed by employees were consolidated into a single action – In re Stryker Corporation Cyberattack Litigation – in the U.S. District Court for the Western District of Michigan, Southern Division. The plaintiffs opted to voluntarily dismiss the consolidated lawsuit on June 29, 2026. U.S. District Court Judge Hala Jarbou has signed an order dismissing the employees’ claims without prejudice. Should Stryker determine that the plaintiffs’ PII was compromised in the incident, the lawsuits can be refiled.

The post Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack appeared first on The HIPAA Journal.

Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation

A settlement has been agreed to resolve claims against Greater Rochester Independent Practice Association (GRIPA) arising from the May 2023 data breach involving Progress Software’s MOVEit file transfer solution.

In May 2023, the Russian-speaking hacking group CL0p mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Cl0p exploited the vulnerability to attack an estimated 2,700 companies that used the software, exfiltrated sensitive data, and then demanded payment to prevent the publication of the stolen data. Globally, almost 96 million individuals were affected. Cl0p proceeded to leak large amounts of data on the dark web when its ransom demands were not met.

In the United States, well over 100 class action lawsuits were filed against Progress Software and more than 100 client organizations over the attack and data breach. The plaintiffs alleged that the data breach could have been prevented by implementing industry-standard cybersecurity measures and protocols, such as software to detect suspicious activity, auditing the platform and Progress Software’s cybersecurity practices, and restricting the IP addresses that could access the platform and limiting the file types that could be uploaded.

The lawsuits had overlapping claims and were consolidated into a single multidistrict litigation, which was centralized in the U.S. District Court for the District of Massachusetts – In re: MOVEit Customer Data Security Breach Litigation. Progress Software made multiple bids to have the lawsuit dismissed, and in July 2025, the court largely denied the motions; however, it failed to dismiss the negligence claims under state law in California, Indiana, Michigan, and Ohio.

Several of the affected client organizations have already entered into settlements, including Bank of America, Nuance Communications, and Arietis Health. Now a settlement has been agreed to resolve claims against GRIPA related to the data breach, although the claims against Progress Software have not been resolved and will continue.

GRIPA faced four class action lawsuits over the data breach, the first of which was Clarke, et al. v. Progress Software Corp., et al, which were transferred to and coordinated with In re: MOVEit Customer Data Security Breach Litigation. GRIPA patients had their names, dates of birth, Social Security numbers, health & treatment information, health insurance information, pharmacy prescription information, and prescriber information compromised in the incident, and the publication of that data, according to the lawsuit, resulted in cognizable injuries. GRIPA faced claims for negligence, negligence per se, breach of third-party beneficiary contract, breach of implied contract, unjust enrichment, and declaratory and injunctive relief. GRIPA filed a motion to dismiss, which was denied in part and granted in part by the court on December 12, 2024.

GRIPA denies any wrongdoing and disagrees with the claims and contentions in the lawsuit. After considering the cost, expense, and length of proceedings, and the uncertainty of a trial and related appeals, the parties began settlement discussions. Mediation on June 10, 2025, was successful, with the material terms of a settlement agreed upon by all parties.

Under the terms of the settlement, GRIPA has agreed to establish a $2,150,000 settlement fund to pay claims made by the settlement class members. Claims will be paid after attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives have been deducted. Class members may submit a claim for reimbursement of up to $2,500 in ordinary losses, and up to $10,000 in extraordinary losses. Alternatively, if a claim for reimbursement of losses is not filed, class members may claim a one-time cash payment, estimated to be $100 per class member. The cash payments will be subject to a pro rata increase or decrease, depending on the number of valid claims received. In addition, all class members are entitled to file a claim for two years of complimentary credit monitoring and identity theft protection services.

The settlement has received preliminary approval from the court. The deadline for filing a claim is September 3, 2026. The final fairness hearing will be held on the same date. Individuals wishing to exclude themselves from the settlement or object to it must do so by August 4, 2026. Further information on the settlement can be found on the settlement website: https://www.moveitsettlementgripa.com/index.htm

The post Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation appeared first on The HIPAA Journal.