Columbia University Health Care (CUHC) has agreed to pay $600,000 to settle a class action lawsuit over a cybersecurity incident that affected 29,629 current or former patients. The data breach in question occurred between September 11, 2023, and March 7, 2024, when cybercriminals had access to an Internet-accessible platform used by Columbia University Irving Medical Center, the academic medical center of Columbia University, and the largest campus of New York-Presbyterian Hospital. Columbia University and New York-Presbyterian participate in an Organized Health Care Arrangement. The hackers were able to access sensitive healthcare information, including names, medical record numbers, dates of birth, provider names, and a single laboratory test result. Notification letters were mailed to the affected individuals in May 2024.

In July 2024, a lawsuit was filed against New York-Presbyterian Columbia University Irving Medical Center by Juanita Huggins, and a second lawsuit was filed in October 2024 by Margaret Nemeth. The defendant, New York-Presbyterian Hospital, was dismissed, and the litigation continued as Margaret Nemeth, et al. vs. Columbia University Health Care, Inc., in the Supreme Court of the State of New York, County of New York

The lawsuit alleged that CUHC failed to implement and maintain adequate security measures to protect the private information of patients in its possession and should have prevented the data breach. CUHC disagrees with the claims and contentions in the lawsuit and maintains there was no wrongdoing. Following mediation on April 18, 2025, the material terms of a settlement were agreed upon, and the settlement agreement has received preliminary approval from the court.

Under the terms of the settlement, CUHC has agreed to establish a $600,000 settlement fund, which will be used to cover attorneys’ fees and expenses, service awards for the class representatives, settlement administration costs, and benefits for the class members. All class members are entitled to claim a two-year subscription to the CyEx Medical Shield Complete service, which includes single-bureau credit monitoring, dark web monitoring, Medicare beneficiary monitoring, medical record number monitoring, health savings account monitoring, national provider identifier monitoring, high-risk transaction monitoring, security freeze assistance, and victim assistance services.

Class members may also submit a claim for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $10,000 per class member. In addition, class members may claim a pro rata cash payment, which will be paid after all costs, expenses, claims, and credit monitoring costs have been deducted from the settlement fund. The deadline for exclusion from and objection to the settlement is October 27, 2025. All claims must be submitted by November 25, 2025, and the final fairness hearing has been scheduled for December 5, 2025. Further information is available on the settlement website: https://columbiahealthcaredatabreach.com/

The post Columbia University Health Care to Pay $600,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Jefferson Healthcare has agreed to settle a class action lawsuit that alleged sensitive data was transmitted to third parties without patient consent due to its use of Meta Pixel and other tracking technologies on its website. Jefferson Healthcare serves residents of eastern Jefferson County on the Olympic Peninsula in Washington State. According to the lawsuit – Jane Doe et al. v. Jefferson County Public Hospital District No. 2 D/B/A Jefferson Healthcare – Jefferson Healthcare installed computer code, including Meta Pixel, on its website between March 19, 2020, and March 19, 2024.

The plaintiffs allege that the implementation of the code allowed their protected health information to be transmitted to third parties such as Facebook and Google without their knowledge or consent. The complaint was filed on March 19, 2024, and Jefferson Healthcare filed a motion to dismiss, which was granted in its entirety by Jefferson County Superior Court Judge Brandon Mack on July 24, 2024. On August 23, 2024, the plaintiff filed a Notice of Appeal with the Washington Court of Appeals.

The plaintiffs and the defendant agreed that a settlement was in the best interests of all parties to avoid the burden, expense, risk, and uncertainty of continuing the litigation. The terms of the settlement have now been agreed upon, and the settlement has received preliminary court approval. Under the terms of the settlement, class members are entitled to claim a voucher for a 12-month subscription to CyEx Privacy Shield, valued at $330.

Jefferson Healthcare has also agreed not to use Meta Pixel on its website for at least two years, unless it is determined that its use is consistent with applicable laws, and an affirmative disclosure is made in the privacy statement on its website that Meta Pixel is being used.  Jefferson Healthcare has agreed to pay attorneys’ fees of $125,000, awards of $2,500 for the class representatives, and will cover the settlement administration costs.

Class members wishing to exclude themselves or object to the settlement have until October 17, 2025, to do so. Claims for a voucher must be submitted by November 17, 2025, and the final approval hearing has been scheduled for December 5, 2025.

The post Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

23andMe has proposed an increased settlement fund to resolve U.S. litigation over its 2023 data breach, adding a further $20 million to the $30 million settlement proposed last year. The $30 million settlement was given preliminary approval by a federal court judge in December.

The data breach began in April 2023 and involved unauthorized access to customer accounts for around 5 months as a result of a credential stuffing attack. Approximately 7 million customers were affected, 6.4 million of whom were located in the United States. Customer accounts were compromised because they used the same password as other platforms that had previously been breached. While credential stuffing attacks exploit poor password practices by users of a platform, 23andMe was criticized for having inadequate security, such as not requiring multi-factor authentication to protect accounts.

The $30 million settlement was agreed upon and received preliminary approval before 23andMe’s bankruptcy. The company filed for Chapter 11 bankruptcy protection in March 2025 to maximize value through a court-supervised sale. The company was purchased for $305 million by a nonprofit organization led by former 23andMe CEO Anne Wojcicki in July 2025. The sale freed up more assets to cover claims from individuals affected by the data breach.

After the previous settlement was agreed upon, 23andMe received more than 250,000 valid claims from class members who provided proof of losses. The increase in the size of the settlement will resolve “a substantial majority” of U.S. claims, according to 23andMe’s attorneys, who said the proceeds from the sale of the company remain the only source of monetary recovery for victims of the data breach. As such, they hope the judge will be convinced to approve the revised settlement.

In addition to providing reimbursement for documented, out-of-pocket expenses incurred as a result of the data breach, the settlement resolves claims that the company failed to tell customers with Chinese and Ashkenazi Jewish ancestry that they were being targeted by a hacker, and that their stolen data had been offered for sale on the dark web.

In addition to covering reimbursement of losses, class members will also be entitled to enroll in a five-year Privacy & Medical Shield + Genetic Monitoring program from CyEx, which was specifically set up for 23andMe customers affected by the data breach. The package provides enhanced protection, including identity theft monitoring, dark web monitoring, and genetic anomaly detection services. Wojcicki said the revised settlement closely tracks the settlement proposed and approved last year. The proposed settlement now awaits preliminary approval from the court.

23andMe has also asked the Missouri bankruptcy judge to approve a separate $3.25 million settlement (Can$4.49 million) to resolve a class action lawsuit in Canada, which will provide benefits for the 300,000 Canadian citizens affected by the data breach.

September 16, 2024: 23andMe Settles Data Breach Lawsuit for $30 Million

A settlement had previously been agreed in principle to resolve a 23andMe HIPAA data breach lawsuit, and now the terms have been finalized. 23andMe has agreed to pay $30 million to settle the consolidated class action lawsuit – In re 23andMe Inc Customer Data Security Breach Litigation – and received preliminary approval for the settlement in federal court in San Francisco on Thursday. The settlement still requires final approval from a federal court judge.

The 23andMe data breach (summarized below) involved unauthorized access to user accounts through credential stuffing, rather than a cyberattack on the 23andMe platform. The data of 6.9 million users was compromised in the attack, and the stolen data was sold on the dark web, including a dataset of individuals with Chinese and Ashkenazi Jewish heritage who appeared to have been specifically targeted.

Under the terms of the settlement, individuals whose data was compromised are entitled to receive a share of the settlement fund after litigation costs and attorneys’ fees have been deducted. The plaintiffs’ lawyers will receive between one-quarter and one-third of the settlement amount. In addition to a cash payment, class members will also be entitled to three years of complimentary monitoring services. The settlement is intended to resolve all U.S. claims regarding the 2023 credential stuffing attack and data breach.

23andMe denies all wrongdoing and liability but chose to settle the lawsuit to avoid further litigation and the uncertainty of trial and believes the settlement is “fair, adequate, and reasonable.” The plaintiffs’ attorneys have said the settlement addresses the main claims of their clients and avoids the significant risks of continuing litigation.

23andMe has been facing financial difficulties since the security incident. The company’s stock price has fallen from $10 a share when the company went public three years ago to less than $1 a share. 23andMe CEO Anne Wojcicki had offered to take the company private earlier this year but a special committee rejected the offer in early August. 23andMe warned that due to its current financial position, if there is any litigated judgment significantly more than the proposed settlement amount it would likely be uncollectable. The company said it faces parallel litigation in state court and private arbitration forums on behalf of tens of thousands of settlement class members.

Under the terms of the settlement, class members may submit claims for the following:

• An extraordinary claim for up to $10,000 to recover unreimbursed costs and expenditures related to the security incident. The costs can include losses due to identity theft, falsified tax returns, the costs of physical security or a monitoring system purchased in response to the security incident, and unreimbursed costs associated with professional mental health counseling or treatment as a result of the security incident. A cap of $5 million has been placed on these claims.
• If a resident of Alaska, California, Illinois, or Oregon at the time of the breach submits a statutory cash claim for $100, per the genetic privacy laws in those states.
• If health information was compromised, submit a claim for a $100 cash payment.
• All class members can enroll in Privacy & Medical Shield + Genetic Monitoring, which includes a password manager, medical record monitoring, and anti-phishing protection.

23andMe anticipates that around $25 million of the settlement amount will be covered by its cyber insurance policy. Class members can object to the settlement, exclude themselves to allow them to pursue their own legal case against 23andMe, or accept the settlement and submit a claim for their share of the settlement fund.

July 19, 2024: 23andMe Reaches Agreement in Principle to Settle Class Action Data Breach Lawsuit

23andMe has reached an agreement in principle to settle a class action lawsuit that was filed in response to a breach of customer data in 2023. The breach occurred in October 2023 and resulted in the theft of the data of approximately 6.9 million individuals, around half of its customers. There was no breach of 23andMe’s systems; instead, a threat actor conducted a credential stuffing attack, which allowed access to be gained to certain customer accounts. Around 14,000 individual accounts were compromised, around 0.1% of its customers.

When the breach was discovered, 23andMe placed the blame for the attack on customers’ poor security practices. The accounts could only be accessed as the affected customers had used the same username/password combinations that had been used to secure accounts on unrelated platforms. When those third-party platforms experienced data breaches and credentials were stolen, they could be used to access any other account where the credentials had been used, which in this case was 23andMe.

Data obtained from those accounts included uninterrupted raw genotype data, health predisposition reports, and carrier-status reports. The threat actor also exploited a 23andMe feature – DNA Relatives – which allows people to connect with their DNA relatives. Through that feature, the threat actor accessed the profile information of around 5.5 million 23andMe users as well as the Family Tree information of a further 1.4 million individuals. The threat actor then listed datasets for sale, including customers with Jewish and Chinese heritage.

More than 2 dozen lawsuits were filed against 23andMe over the data breach. The plaintiffs’ attorneys claimed that the datasets being offered for sale could be used as a hit list, allowing Jews to be targeted, and the Chinese dataset could be used by the intelligence agencies of the People’s Republic of China to target dissidents. While the 14,000 accounts were accessed due to customers’ password reuse, attorneys for the plaintiffs argued that 23andMe should have done more to protect users’ sensitive data.

They alleged that 23andMe should have been aware that a cyberattack was likely, and should have taken steps to reduce risk, and should have had proper data breach protocols in place. Further, the company should have notified customers with Jewish and Chinese heritage that the datasets had been made available and that they could potentially be targeted. The lawsuits also alleged that 23andMe lied about data security and had failed to implement protections in accordance with industry standards, then lied about the scope and severity of the breach.

At a court hearing on Tuesday, attorneys for the San Francisco-based company disclosed that a settlement had been agreed in principle to bring the litigation to an end. The company is finalizing the details and hopes to produce an executive term sheet in the next week and will then draft a full settlement agreement. “We have reached an agreement in principle for a full settlement of U.S. claims regarding the 2023 ‘credential stuffing’ security incident,” said 23andMe, in a statement provided to the San Francisco Business Times. “We believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”

Lawyers for the plaintiffs and class argued that under the Illinois Genetic Information Privacy Act, some of the class were owed up to $3 billion in damages. In its annual report, 23andMe disclosed that the company has around $216 million in cash, so any continued legal action to obtain substantial damages risked 23andMe filing for bankruptcy. The terms of the settlement have not yet been disclosed, but the settlement is likely to involve payment for dark web monitoring services and non-monetary relief. A hearing has been scheduled for July 30 for the court to be provided with an update on the term sheet, and a motion for preliminary approval of the proposed settlement is expected to be filed within a couple of months.

The post 23andMe Requests Bankruptcy Judge Approve Revised $50 Million Data Breach Settlement appeared first on The HIPAA Journal.

A lawsuit has been filed against Alphabet-owned Verily by a former employee who alleges that the personally identifiable health information of more than 25,000 patients was misused, and the company failed to report the HIPAA breaches, as required by the Health Insurance Portability and Accountability Act (HIPAA).

Verily, formerly Google Life Sciences, is a research organization owned by Google’s parent company, Alphabet. The Verily platform drives AI-powered precision health solutions that help pharmaceutical firms bring new therapies to market sooner and health systems and payers improve patient outcomes at a lower cost. The lawsuit alleges that an internal investigation confirmed HIPAA breaches involving HIPAA-protected data obtained from 14 HIPAA-regulated entities. The lawsuit claims patient data was used without authorization, in violation of the HIPAA Privacy Rule. Further, while the investigation uncovered misuses of patient data, Verily failed to disclose the breach, delaying notifications while contract renewals were negotiated with the affected covered entities, in violation of the HIPAA Breach Notification Rule.

The lawsuit was filed last year; however, it failed to be reported by the media until it was spotted by CNBC, which reported on the lawsuit last week. The lawsuit was filed by Ryan Sloan, a former chief commercial officer at Verily Onduo, Verily’s diabetes and hypertension business. The lawsuit is currently pending in the United States District Court for the Northern District of California in San Francisco, having survived a motion to dismiss or resolve the lawsuit through arbitration.

Sloan was hired by Verily in 2020 and was employed until he was terminated in January 2023. Sloan claims that he and Julia Feldman, general counsel at Onduo, discovered the HIPAA violations in January 2022 and reported them to senior management. Sloan claims that patient data was used for research, marketing campaigns, press releases, and national conferences, which are not uses permitted by the HIPAA Privacy Rule unless consent is obtained from patients.

Sloan claims that he and Feldman repeatedly raised the matter with senior management, and an internal investigation confirmed that there had been several HIPAA breaches of business associate agreements between Verily and HIPAA-covered entities, including Quest Diagnostics, Highmark Health, Walgreens Boots Alliance, and others. Despite the discovery of HIPAA breaches, Sloan alleges no notifications were issued.

He claims that during a contact negotiation between Verily and Highmark Health in August 2022, Verily misrepresented that it was fully compliant with the HIPAA Rules at all times, when the company knew that HIPAA violations had occurred, including with Highmark Health data. The lawsuit claims that Feldman was terminated later that month, along with another individual who was aware of the HIPAA breaches. Sloan was terminated in January 2023, which he claims was in response to repeatedly raising concerns about the HIPAA violations and the alleged cover-up of the HIPAA breaches.

There is no private cause of action under HIPAA, so individuals are not permitted to sue for HIPAA violations. Only the HHS’ Office for Civil Rights (OCR) and state attorneys general have the authority to take legal action for HIPAA violations. The lawsuit, Sloan v. Verily Life Sciences LLC, claims that Verily retaliated against Sloan after he raised the HIPAA violations in good faith, in breach of his employment contract. Verily denies the allegations.

“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” said a Verily spokesperson in a statement to CNBC. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously.  As this is an ongoing legal matter, Verily will not be providing further comment at this time.”

The post Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches appeared first on The HIPAA Journal.

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.