MedStar Health has agreed to settle class action litigation stemming from a 2023 data breach that affected more than 183,000 individuals. MedStar Health will create a $1.35 million settlement fund to cover attorneys’ fees, legal costs and expenses, and claims from class members for reimbursement of out-of-pocket expenses fairly traceable to the data breach.

MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., provides medical services through 120 entities, including 10 hospitals. Between January 25, 2023, and October 18, 2023, an unauthorized third party gained access to the email accounts of three employees and accessed or obtained the protected health information of 183,079 patients. The individuals were notified about the data breach on May 4, 2024.

Shortly after mailing notification letters, a class action lawsuit was filed by Gwendolyn Riddick individually and on behalf of similarly situated individuals. A further five class action lawsuits were filed by other MedStar Health patients. Since all six lawsuits were materially and substantively identical and had overlapping claims, they were consolidated into a single action, In re MedStar Health Data Security Incident, in the U.S. District Court for the District of Maryland. The plaintiffs alleged that MedStar Health failed to implement reasonable and appropriate safeguards to protect the sensitive data it stored on its network.

MedStar Health denies any wrongdoing and disagrees with the claims and contentions in the lawsuit; however, MedStar agreed to a settlement to avoid the cost and risk of a trial and any possible appeals. The $1,350,000 settlement fund will be used to pay attorneys’ fees up to $450,000, settlement administration costs up to $250,000, class representative awards of $2,500 for each of the six named plaintiffs, attorneys’ expenses, and medical data monitoring costs. The remainder of the settlement fund will be used to cover claims from class members, who are U.S. residents who are current or former MedStar patients or employees who were notified that their data was exposed between January 25, 2023, and October 18, 2023.

Under the terms of the settlement, class members may claim one of two cash payments plus a one-year membership to a medical and healthcare data monitoring service. Class members may submit a claim for reimbursement of documented losses up to a maximum of $5,000 per class member, or they may alternatively claim a cash payment, which is estimated to be $100. The cash payments may be adjusted based on the number of valid claims received.

The deadline for objecting to and opting out of the settlement is September 14, 2025. The deadline for filing a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 4, 2025.

The post MedStar Health Agrees to $1.35 Million Settlement to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.

Robeson Health Care Corporation, a Pembroke, North Carolina-based integrated health system, has agreed to settle a class action lawsuit that alleged hackers compromised its network in a February 2023 cyberattack, exposing the protected health information of 62,627 individuals.

Hackers gained access to its network on or around February 21, 2023, and potentially accessed or acquired protected health information such as names, dates of birth, Social Security numbers, diagnosis and treatment information, medical record numbers, Medicare/Medicaid numbers, prescription information, health insurance information, and other sensitive data. The affected individuals started to be notified about the data breach on April 21, 2023.

In early to mid-May 2023, three lawsuits were filed against Robeson Health Care Corp. over the data breach by plaintiffs Julianna McKenzie, Judith Hammonds, and Ronnie McGriff in the United States District Court for the Eastern District of North Carolina. The plaintiffs asserted several claims, including negligence for failing to implement reasonable and appropriate safeguards to secure its network and protect patient data from unauthorized access. Robeson Health Care Corp. denies all claims and contentions in the lawsuit, including charges of wrongdoing and liability. Since continuing with the action would likely be expensive and protracted, all parties agreed to negotiate an appropriate settlement. That settlement has been determined to be fair by all parties and has received preliminary approval from the Superior Court of the State of North Carolina for the County of Robeson.

Under the terms of the settlement, Robeson Health Care Corp. has agreed to pay for benefits for class members, which will be capped at $750,000. Class members may submit a claim for up to $2,500 for reimbursement of documented, unreimbursed out-of-pocket losses that resulted from the data breach. Attorneys’ fees and costs have been capped at $250,000, and each of the three plaintiffs will receive a service award of $1,500.

Alternatively, class members may choose to receive a cash payment of $50, which will be paid pro rata after claims have been paid. The cash payments may be higher or lower depending on the number of claims received. In addition, class members can claim two years of single-bureau credit monitoring services. The deadline for exclusion from and objection to the settlement is June 23, 2025. The final approval hearing has been scheduled for July 21, 2025, and the deadline for submitting claims is August 6, 2025. Further information on the settlement can be found on the settlement website:  https://www.rhccdataincidentsettlement.com/

The post Robeson Health Care Corp. Agrees to $750K Data Breach Settlement appeared first on The HIPAA Journal.

Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.

Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients.  Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.

On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.

The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court.  Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.

Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.

The post Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation appeared first on The HIPAA Journal.

A $2.4 million settlement has received final approval from the court to resolve a class action lawsuit against Somnia Inc. and others over a 2022 cyberattack and data breach.

Somnia manages anesthesiology services at more than a hundred surgery centers across the country. In the summer of 2022, Somnia experienced a cyberattack that saw hackers access parts of its network where patient information was stored. The forensic investigation confirmed that names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information were potentially compromised. More than 450,000 individuals had their information exposed in the incident.

Several lawsuits were filed in response to the breach against Somnia, Anesthesia Services of San Joaquin, Palm Springs Anesthesia Services, Resource Anesthesiology Associates of IL, Resource Anesthesiology Association of NM, and Anesthesia Associates of El Paso. The lawsuits were consolidated into a single lawsuit as they all asserted similar claims and were based on the same facts.  The plaintiffs claimed that Somnia was negligent by failing to implement appropriate cybersecurity safeguards to ensure the privacy and confidentiality of the data stored on its network, did not follow industry security standards, and was not fully compliant with the HIPAA Rules.

The plaintiffs claimed they had suffered harm as a result of the data breach, including being placed at an elevated risk of identity theft and fraud. They also alleged that data breach notification letters were delayed and did not contain adequate information about the data breach, including the exact types of information that were stolen. The defendants denied and continue to deny any wrongdoing, and maintain the plaintiffs’ claims have no merit; however, the decision was taken to settle the litigation to prevent further legal costs and to avoid the risks and uncertainties associated with continuing to fight the litigation.

Under the terms of the settlement, a $2,425,000 settlement fund has been established to cover claims from class members for unreimbursed, documented out-of-pocket losses that are plausibly traceable to the data breach. $1 million of the settlement will be paid to the plaintiffs’ lawyers, $50,295 will be deducted to cover litigation expenses, and each of the 9 named plaintiffs will receive a $1,000 service award. The remainder of the settlement will cover class members’ claims, which were capped at $2,500 per class member. Any remaining funds in the settlement fund after claims and expenses have been paid will be paid pro rata to the class members.

The post Somnia’s $2.4 Million Data Breach Settlement Receives Final Approval appeared first on The HIPAA Journal.

A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.

The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.

A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.

According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.

Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.

Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.

The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Frederick Health Medical Group is facing several potential class action lawsuits over a recent data breach that affected more than 900,000 patients.  Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack and had called in cybersecurity experts to investigate the incident. At the time, it was unclear to what extent patient data had been compromised in the incident, but it has now been confirmed that the electronic protected health information of 934,326 patients was stolen.

According to its March 28, 2025, substitute breach notice, the ransomware group stole data such as patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care. The electronic medical record system was not compromised in the attack. The name of the ransomware group behind the attack was not disclosed, and no ransomware group is known to have claimed responsibility for the attack. It is also unclear if the ransom was paid. In late March, individual notification letters started to be mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available. Frederick Health Medical Group said additional cybersecurity safeguards have been implemented to better protect patient data and monitor its systems for unauthorized access.

At least five class action lawsuits have already been filed in response to the data breach. The lawsuits all assert similar claims, including negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard patient data and a failure to follow industry-standard cybersecurity best practices. The lawsuits also claim that the breach notification letters failed to disclose adequate information about the data breach, including the steps taken to prevent further attacks and even the types of data compromised in the incident. The lawsuits name Frederick Health Medical Group patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary as plaintiffs.

The lawsuits claim patients have suffered harm from the data breach, including an elevated and ongoing risk of identity theft and fraud, and out-of-pocket costs mitigating the harmful effects of the data breach. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients appeared first on The HIPAA Journal.