The owner and operator of a Michigan home health care company has been convicted of five counts of healthcare fraud and four counts of paying illegal healthcare kickbacks and now faces decades in jail. Ruby Scott, 55, of Farmington Hills, Michigan, the owner and operator of Delta Home Health Care LLC, was alleged to have operated a fraud scheme that caused more than $1.6 million in losses to the Medicare program. From 2018 to 2021, Scott was alleged to have fraudulently billed Medicare for home health services using stolen patient records.

Scott bribed a discharge nurse at a Detroit hospital to identify Medicare patients and fax their medical records to Delta Home Health Care. Scott developed a kickback relationship with the nurse, paying approximately $300 for each set of patient records that were successfully used to bill Medicare. The discharge nurse was paid more than $130,000 via PayPal, CashApp, cash, and check for providing the records.

Scott used confidential diagnostic and personal information to bill Medicare for home healthcare services for the patients, falsely representing that a doctor had certified that the patients satisfied the Medicare requirements for home health care services. The patients were unaware that their personal and health information was being used to submit false claims, and the doctors had never met any of the patients and did not know that their information was being used on the fraudulent claims. Medicare paid approximately $1.2 million to Delta, causing approximately $1.6 million in losses to the Medicare program.

Scott was charged with multiple counts of fraud and operating an illegal kickback scheme and was recently convicted by a federal jury in the Eastern District of Michigan. The jury found Scott guilty of five counts of health care fraud, conspiracy to defraud the United States, and pay illegal health care kickbacks, and four counts of paying illegal health care kickbacks. The healthcare fraud and kickback counts each carry a maximum sentence of 10 years in prison, and Scott faces a maximum of 5 years in jail for the conspiracy count. Scott is due to be sentenced on September 24, 2026.

“The [Department of Justice] Fraud Division is laser-focused on investigating and prosecuting those who commit fraud against the American people,” explained the Department of Justice in a press release announcing the guilty verdict. “The Department’s work to combat fraud supports President Trump’s Task Force to Eliminate Fraud, a whole-of-government effort chaired by Vice President J.D. Vance to eliminate fraud, waste, and abuse within Federal benefit programs.”

The post Home Healthcare Agency Owner Facing Decades in Jail for $1.6M Medicare Fraud Scheme appeared first on The HIPAA Journal.

A settlement has been agreed to resolve a class action lawsuit against Ciox Health, which does business as Datavant Group, an Arizona-based health IT company, over a May 2024 email-related data breach.

Suspicious activity was identified within an employee’s email account on May 9, 2024. The forensic investigation confirmed that an unauthorized individual had access to the account between May 8 and May 9, 2024. Access to the account was gained after an employee responded to a phishing email. The breach was reported to the HHS’ Office for Civil Rights as affecting 320,702 individuals. Data potentially compromised in the incident included names, dates of birth, addresses, contact information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and health information.

A lawsuit was filed in response to the data breach – Jackson v. Ciox Health, LLC d/b/a Datavant Group – in the United States District Court for the District of Arizona. The lawsuit alleged that the defendant failed to implement sufficient security measures to protect patients’ sensitive information. The lawsuit alleged that the failure amounted to negligence and that the defendant had violated the Illinois Consumer Fraud and Deceptive Business Practices Act.

As is common in class action data breach lawsuits, the parties explored the possibility of an early resolution to the lawsuit to avoid the costs and risks associated with continuing with the litigation. An appropriate settlement was agreed upon by all parties, and the settlement has received preliminary approval from the court. Datavant Group has agreed to pay $900,000 to resolve the lawsuit. The settlement fund will be used to pay attorneys’ fees and expenses, service awards for the class representatives, settlement administration and notification costs, and benefits for the class members. While the OCR breach portal states that more than 320,000 individuals were affected, the class consists of 58,309 individuals.

Class members may submit a claim for up to $5,000 as reimbursement for documented, unreimbursed losses incurred as a result of the data breach. Alternatively, a claim may be submitted for a one-time pro rata cash payment. The amount of each cash payment will depend on the number of valid claims received. In addition to one of those benefits, class members may also enroll in one year of expanded identity theft protection and fraud monitoring services. The deadline for objection and exclusion is July 20, 2026. Claims must be submitted by August 18, 2026, and the final fairness hearing has been scheduled for September 4, 2026.

The post Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Endue Software has agreed to pay $870,000 to settle a class action lawsuit that was filed in response to a cyberattack and data breach that affected more than 118,000 individuals. Endue Software is a software-as-a-service company that provides an infusion management platform to healthcare providers for managing infusion operations. On February 17, 2025, suspicious activity was identified within its systems. The forensic investigation confirmed unauthorized access for a short period on February 17, 2025, during which time files containing patient information were copied. Data compromised in the incident included full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The affected individuals were notified on April 11, 2025.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Pauley, et al. v. Endue Inc. d/b/a Endue Software – in the United States District Court for the District of Maine. The consolidated lawsuit alleged that the data breach occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures and should have been prevented.

The lawsuit asserted claims for negligence/negligence per se, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment/injunctive relief. Endue Software denies all claims and contentions in the lawsuit, and maintains there is no liability and that there was no wrongdoing. Shortly after filing the lawsuit, the parties explored the possibility of an early resolution and agreed that the appropriate venue was the 17th Judicial Circuit in and for Broward County, Florida, for settlement discussions. The consolidated lawsuit was dismissed and refiled in Florida, asserting claims for negligence/negligence per se, and breach of third-party beneficiary contract.

The terms of a settlement were agreed upon, and the settlement has received preliminary approval from the court. The settlement provides two years of medical data and credit monitoring services, and class members may claim one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $65.

A $260,000 fund has been established to cover the alternative cash payments, which will be subject to a pro rata increase or decrease depending on the number of claims received. The total settlement fund is capped at $870,000. The deadline for objection to and exclusion from the settlement is June 30, 2026. The deadline for filing a claim is June 30, 2026, and the final fairness hearing has been scheduled for July 15, 2026.

The post Endue Software Agrees to $870,000 Data Breach Settlement appeared first on The HIPAA Journal.

American Multispecialty Group, doing business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Esse Health faced multiple class action lawsuits in response to the data breach, and the consolidated class action lawsuit has recently been settled. Esse Health has agreed to pay $2,525,000 to resolve the lawsuit.

The cyberattack was detected by Esse Health on April 21, 2025, and the forensic investigation confirmed that the hackers obtained sensitive data such as names, addresses, birth dates, health information, and health insurance information. Around 5,000 individuals also had their Social Security numbers compromised in the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 23,671 patients; however, the data breach was much more extensive. The Maine Attorney General was informed that the breach affected 263,601 individuals. The lawsuit states that approximately 521,167 individuals were affected.

The data breach was first announced by Esse Health on May 15, 2025, and shortly thereafter, a class action lawsuit was filed by Plaintiff Casten Clausner in the U.S. District Court for the Eastern District of Missouri. A further seven plaintiffs filed similar actions in state court in St. Louis County and the City of St. Louis. All actions were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, in June 2025.

The consolidated lawsuit – Clausner et al. v. American Multispecialty Group – claims that the data breach could have been prevented and was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of confidence, breach of fiduciary duty, invasion of privacy, unjust enrichment, violation of the Missouri Merchandise Practices Act, and declaratory and injunctive relief. Esse Health maintains that there was no wrongdoing and is no liability; however, following mediation, a settlement was agreed upon by all parties to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, Esse Health has agreed to establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 8 class representatives, and benefits for the class members. After costs and expenses have been deducted from the settlement fund, the remainder will be used to pay for class member benefits. While most class action lawsuit settlements allow class members to submit a claim for reimbursement of losses, this settlement only provides a pro rata cash payment, which is expected to be $50 per class member. The payments may be higher or lower depending on the number of claims received.

In addition, class members are entitled to enroll in two years of medical identity protection services, which include a $1 million medical identity theft insurance policy. The cost of the medical identity protection will be paid separately by Esse Health. The settlement has received preliminary approval from the court. The deadline for objection and exclusion from the settlement is July 5, 2026. Claims must be submitted by August 4, 2026, and the final approval hearing has been scheduled for August 3, 2026.

The post Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Gandara Mental Health Center in Springfield, Massachusetts, has agreed to settle class action litigation stemming from a June 2024 cyberattack and data breach that affected 17,543 individuals. The cyberattack was detected on June 20, 2024, and Gandara Mental Health Center determined that personal and protected health information, such as names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, treatment information, and health insurance information, had been compromised. The hackers claimed to have exfiltrated approximately 450 GB of data.

A class action lawsuit was filed in the Court in the Commonwealth of Massachusetts, Hampden County – Eugene Mitchell v. Gandara Mental Health Center, Inc. – in response to the data breach that alleged that the defendant failed to properly secure its network, leading to the theft of the plaintiffs’ personal and protected health information. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Gandara Mental Health Center denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

All parties agreed upon a settlement to avoid further legal costs and expenses and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to enroll in three years of identity theft protection and medical data monitoring services. A claim may also be submitted for reimbursement of up to $500 in ordinary losses, including up to four hours of lost time at $25 per hour, and up to $5,000 in extraordinary losses incurred as a result of the data breach. If a claim is not submitted for reimbursement of losses and lost time, an alternative one-time cash payment of $60 can be claimed. Benefits for the class members have been capped at $900,000 and will be reduced pro rata if that total is exceeded.

The deadline for objection to and exclusion from the settlement is July 24, 2026. Claims must also be submitted before that date. The final approval hearing has been scheduled for August 25, 2026.

The post Gandara Mental Health Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Oglethorpe, a Tampa, FL-based network of mental health and addiction recovery treatment facilities, was sued in response to a June 2025 hacking incident in which the personal and protected health information of 92,000 current and former patients and employees was stolen. The lawsuit has recently been settled and a cash fund of $350,000 will be created to cover benefits for class members.

The hacking incident was discovered in June 2025. The forensic investigation determined that the hacker exfiltrated information such as names, Social Security numbers, driver’s license or state identification numbers, and medical information. The affected individuals started to be notified about the incident on October 31, 2025. Multiple class action lawsuits were filed in response to the data breach, alleging that it could have been prevented had reasonable and appropriate cybersecurity measures been implemented.

The lawsuits were consolidated – Scott, et al. v. Oglethorpe, Inc.– in the Circuit Court for Broward County, Florida, since they had overlapping claims and were based on the same facts. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment, as well as requesting declaratory and injunctive relief. Oglethorpe denies wrongdoing, fault, and liability.

All parties explored the opportunity for early resolution of the lawsuit to avoid unnecessary legal costs and the uncertainty of a trial and related appeals. Following several weeks of arms-length negotiations, a settlement was agreed upon that was acceptable to all parties. Under the terms of the settlement, Oglethorpe has agreed to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. A fund of $350,000 will be created to cover benefits for the class members.

All class members may enroll in one year of medical data monitoring services, which include a $1 million medical identity theft insurance policy. They may also claim one of two cash benefits: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $75. That cash payment is subject to a pro rata reduction should the claim total exceed $350,000.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 22, 2026. Claims must be submitted by August 8, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 8, 2026.

The post Oglethorpe Settles Data Breach Lawsuit appeared first on The HIPAA Journal.

Alpine Ear, Nose, & Throat, a Fort Collins, Colorado-based healthcare provider with multiple locations in the state of Colorado, has settled a class action lawsuit stemming from a 2024 data breach that was reported to the HHS’ Office for Civil Rights as affecting 65,648 individuals.

The security breach was identified on November 26, 2024, and the data breach was announced on January 17, 2025. It took until October 9, 2025, to complete the data mining process, and the affected individuals were notified on January 30, 2026, 14 months after the data breach was first identified. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers.

Shortly after the data breach was announced, but several months before notification letters were mailed, a class action lawsuit was filed by Plaintiff Deborah Knoll in the District Court of Denver County, Colorado, in response to the data breach. On March 13, 2025, the lawsuit was voluntarily dismissed, and plaintiff Anthony Pfirrman was substituted as the plaintiff. At the request of the defendant, the lawsuit – Pfirrman v. Alpine Ear, Nose, & Throat, PLLC – was transferred to District Court for Larimer County, Colorado.

The plaintiff alleged that the defendant was at fault for the data breach due to the failure to implement reasonable security measures to protect sensitive data on its network. The lawsuit asserted claims for negligence, negligence per se, invasion of privacy, breach of implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and declaratory judgment, all of which were denied by the defendant, including the claims of wrongdoing and liability.

All parties began to explore the possibility of a settlement to avoid the costs and risks associated with protracted litigation and a trial, and following mediation in November 2025, the material terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and costs up to a maximum of $330,000, a service award for the class representative of $2,500, and the following benefits to the class members.

1. Two years of credit and medical monitoring services (CyEx Medical Shield Complete)
2. Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member
3. Compensation for lost time, up to a maximum of 4 hours at $20 per hour

Class members who do not wish to submit a claim for reimbursement of losses and compensation for lost time may instead claim an alternative one-time cash payment of $50. Individuals wishing to object to the settlement or exclude themselves must do so by June 23, 2026. The deadline for submitting a claim is July 23, 2026, and the final fairness hearing has been scheduled for August 11, 2026.

The post Alpine Ear, Nose, & Throat Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A former Maryland hospital pharmacist who is alleged to have engaged in a multi-year cyber spying campaign is facing up to 17 years in jail. Matthew Bathula, 41, of Clarksville, is alleged to have engaged in the spying campaign for more than 8 years between July 2016 and September 2024, during which time he intentionally accessed computers without authorization and used a range of cyber intrusion techniques to steal sensitive data, including installing keyloggers and cookie managers, file masquerading, and setting up mailbox rules to avoid detection.

According to the indictment, these techniques allowed Bathula to steal a range of sensitive data, including usernames, passwords, cookies, images, videos, and other sensitive data. The data obtained from his actions was used to spy on current and former employees, individuals in a relationship with current and former employees, and other individuals affiliated with his employer. Credentials were obtained for almost 200 victims, which were used to access their social media accounts, as well as Google Photos, Google Nest, iCloud Photos, dating apps, and Gmail and Microsoft 365 accounts. He also created mailbox rules to delete warning messages, such as Critical Security Alerts, to avoid detection. Since cookies were stolen, they allowed Bathula to maintain access to victims’ accounts on his personal devices that were not connected to his employer’s network.

Further, between February 2023 and July 2024, spyware was installed on one or more of his employer’s computers, allowing him to conduct video surveillance of people at work and record video content. That included accessing Internet-enabled cameras and using them to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms. He is also alleged to have used stolen credentials to access the home security systems of his victims, which included using those systems to record video footage of women breastfeeding, interacting with young children, and engaging in sexual acts with their partners.

Bathula has been charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft while working as a pharmacy clinical specialist for Company A, a medical system located in the District of Maryland. “Bathula’s alleged actions are a reprehensible invasion of privacy. He betrayed the trust of his employer and co-workers, as he gained access into the private worlds of nearly 200 victims without their knowledge or consent,” Hayes said. “We, along with our law-enforcement partners, are committed to holding individuals accountable who commit cybersecurity crimes, thereby harming unsuspecting people.”

If found guilty, Bathula faces up to 10 years in jail for the unauthorized access to a protected computer at Company A, up to five years for unauthorized access to victims’ protected computers, and up to two years for aggravated identity theft. The aggravated identity theft sentence will be consecutive to any other sentence imposed.

While Company A was not named in the indictment, Bathula was employed by the University of Maryland Medical Center (UMMC) as a clinical pharmacist. At least six current and former employees have taken legal action against UMMC over Bathula’s actions. The lawsuit, which was reported on by The HIPAA Journal in April 2025, asserted claims for negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion-invasion of privacy. The lawsuit seeks a jury trial, compensatory, exemplary, and punitive damages, litigation expenses and attorneys’ fees, and injunctive and declaratory relief.

The post Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign appeared first on The HIPAA Journal.

A settlement has been agreed to resolve litigation against defendants Southern Illinois Healthcare Enterprises, Southern Illinois Hospital Services, and Southern Illinois Medical Services over their use of website tracking technologies without website users’ knowledge or consent.

Southern Illinois Healthcare Enterprises Pixel Settlement

A class action lawsuit over the use of website tracking technologies has been settled. The lawsuit was filed by John Doe, individually and on behalf of similarly situated individuals, against the defendants Southern Illinois Healthcare Enterprises, Southern Illinois Hospital Services, and Southern Illinois Medical Services over an alleged impermissible disclosure of the plaintiff’s and class members’ private information to third parties.

The lawsuit – Doe v. Southern Illinois Healthcare Enterprises, Inc. – was filed in Williamson County Circuit Court, Illinois, and alleged that personally identifiable information was disclosed to Meta (Facebook) via third-party tools on the defendants’ websites without the knowledge or permission of website visitors. The lawsuit asserted claims for negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Illinois Consumer Fraud and Deceptive Practices Act.

The defendants removed the action to the U.S. District Court for the Southern District of Illinois and sought to have the lawsuit dismissed. That motion was partially successful and led to an amended complaint being filed that alleged negligence, negligence per se, invasion of privacy, breach of express contract, breach of implied contract, unjust enrichment, breach of bailment, breach of fiduciary duty, conversion, trespass to chattel, violation of the Illinois Eavesdropping Statute, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant sought to have the amended complaint dismissed; however, the motion was denied by the court. The defendant denied and continues to deny any wrongdoing or liability but agreed to a settlement to avoid the cost of protracted litigation and the risks of a trial. All class members are entitled to claim a one-year membership to the CyEx Privacy Shield Pro service and a one-time cash payment of $17.50. The objection, exclusion, and claims deadline is June 15, 2026. The final fairness hearing has been scheduled for August 24, 2026.

The post Southern Illinois Healthcare Enterprises Pixel Settlement Approved appeared first on The HIPAA Journal.