Weirton Medical Center in West Virginia has agreed to a settlement to resolve class action litigation over a January 2024 ransomware attack that involved the exfiltration of sensitive data from its network. Hackers had access to its computer network between January 14 and January 18, 2024, and used ransomware to encrypt files. Data stolen in the attack included names, dates of birth, Social Security numbers, health insurance information, and treatment information. The affected individuals were notified on March 18, 2024, and the data breach was reported to the HHS Office for Civil Rights as affecting 26,793 individuals.

Four class action lawsuits were filed in response to the data breach in the U.S. District Court for the Northern District of West Virginia, naming Trish Yano, Matthew Foltz, Leslie Telek, and Judy Mullins as plaintiffs. The lawsuits were consolidated into a single lawsuit – In re Weirton Medical Center Data Breach Litigation – on June 21, 2024. The lawsuit asserted claims of negligence and negligence per se for failing to protect sensitive data on its network from unauthorized access, as well as unjust enrichment, breach of implied contract, breach of confidence, and breach of fiduciary duty.

The lawsuit survived a motion to dismiss, and all parties filed a joint motion to stay proceedings pending mediation. Weirton Medical Center disagreed with all claims and contentions in the lawsuit; however, after a full day of mediation, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and resolves the litigation in its entirety, with no admission of liability or wrongdoing.

All class members are entitled to claim one of two cash payments and credit monitoring services. A claim may be submitted for reimbursement of actual documented, unreimbursed losses that were more likely than not caused by the data breach up to a maximum of $5,000 per class member.  Alternatively, class members may claim a cash payment of $50.00, without providing any documentation to prove losses.

All class members can claim one year of three-bureau credit monitoring services, which include identity theft protection and recovery services, and a $1,000,000 identity theft insurance policy. The deadline for exclusion from and objection to the settlement is October 6, 2025. Claims must be submitted by November 5, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025.

The post Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit appeared first on The HIPAA Journal.

CVS Health is facing a probe into potential HIPAA violations related to the alleged use of patient data for lobbying purposes to prevent the passing of a Louisiana state bill that could affect its business interests. The bill in question, House Bill 358 (HB 358), proposes several amendments to current pharmacy laws in Louisiana. One of the proposed amendments is prohibiting providers in the state from operating as both pharmacy benefit managers (PBMs) and individual pharmacies.

A pharmacy benefit manager is an intermediary between drug companies and pharmacies that negotiates prices with the drug companies on behalf of employers and health plans. They often also manage pharmacy networks and operate mail-order pharmacies. PMBs are facing increased scrutiny over their business practices. The Federal Trade Commission (FTC) alleged that major PBMs have inflated drug prices to increase company profits, negotiating lower prices from drug companies, then marking up the drug prices at their pharmacies. According to an FTC report earlier this year, between 2017 and 2022, UnitedHealth Group’s Optum, CVS Health’s CVS Caremark, and Cigna’s Express Scripts increased the prices of medications for heart disease, cancer, and HIV at their affiliated pharmacies, boosting revenues by $7.3 billion in excess of the acquisition costs of the medications.

Several states have passed laws to rein in PMBs and limit their influence on drug pricing, and reducing the costs of medications is a key priority for the Trump administration. CVS Health and Cigna have filed lawsuits attempting to overturn a law implemented in Arkansas to this effect, and CVS Health is alleged to have engaged in lobbying to prevent HB 358 from being passed in Louisiana. If the bill is signed into law, it would have serious implications for CVS Health, which operates as the PBM CVS Caremark, as well as 119 CVS pharmacies in the state of Louisiana.

Louisiana Attorney General Liz Murrill launched an investigation of CVS Health earlier this year after receiving reports alleging CVS Health had sent large numbers of text messages to state employees and their families to lobby against the proposed legislation. One of the texts informed the recipients that if the bill is signed into law, their CVS Pharmacy could close, medication costs could rise, and their pharmacist could lose their job.

The texts included a link to a draft letter to lawmakers calling for them to reject the legislation. “The proposed legislation would take away my and other Louisiana patients’ ability to get our medications shipped right to our homes,” the letter read. “They would also ban the pharmacies that serve patients suffering from complex diseases requiring specialty pharmacy care to manage their life-threatening conditions, like organ transplants or cancer. These vulnerable patients cannot afford any disruption to their care – the consequences would be dire.” CVS Health has been accused of lying and using scare tactics to oppose the bill, which CVS Health denies.

In late June, AG Murrill filed three lawsuits against CVS Health alleging unfair, deceptive, and unlawful practices, which have harmed Louisiana patients, independent pharmacies, and the public at large. According to CVS Health spokesperson Any Thibault, the bill was proposed with no public hearing. “We believe we had a responsibility to inform our customers of misguided legislation that sought to shutter their trusted pharmacy, and we acted accordingly,” Thibault said. “Our communication with our customers, patients and members of our community was consistent with law.”

Now, a probe has been launched by two Republican lawmakers in response to the allegations that patient data was used for lobbying purposes, potentially in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. House Committee on Oversight and Government Reform Chairman James Comer (R-KY) and Subcommittee on Federal Law Enforcement Chairman Clay Higgins (R-LA) wrote to CVS Health President and CEO David Joyner, demanding answers about how patient data has been used.

“This text message campaign raises ethical and potential legal issues if indeed CVS Pharmacy used confidential patient information, obtained through a state contract, to lobby against H.B. 358,” wrote the lawmakers. “The inflammatory and misleading text messages—which included threats of pharmacy location closures, increased prescription costs, and loss of service providers—sought to encourage CVS Pharmacy customers to contact Louisiana lawmakers to oppose the bill. This is concerning because CVS Pharmacy must comply with the Health Insurance Portability and Accountability Act (HIPAA) to access confidential patient information.”

The lawmakers explained in the letter that the HIPAA Privacy Rule does not expressly permit the use of patient data for political advocacy or lobbying, and that patient authorization would be required for such uses, pointing out that it appears that the mass texting capabilities used by CVS Health pharmacies for notifying patients about prescription updates and other individualized patient information has been used in a matter that may have violated HIPAA.

The lawmakers have requested documentation and copies of communications related to the use of patient and customer personal health information for the purposes of political advocacy or lobbying in Louisiana and all other states from January 1, 2020, to the present. They require a response by September 18, 2025.

The post CVS Health Faces HIPAA Probe Over Alleged Use of Patient Data for Lobbying and Political Advocacy appeared first on The HIPAA Journal.

Morris Hospital & Healthcare Centers has agreed to settle a consolidated class action lawsuit that alleged negligence for failing to prevent an April 2023 data breach that affected 248,943 individuals. Under the terms of the settlement agreement, Morris Hospital will establish a $1,361,571.77 settlement fund to cover attorneys’ fees, legal expenses, and benefits for the class members.

In April 2023, Morris Hospital identified unauthorized access to its network. Hackers had access to the personal and protected health information of current and former patients, employees, and their dependents and beneficiaries.  The Royal ransomware group was behind the attack and posted the stolen data on its data leak site. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois – In re: Morris Hospital Data Breach Litigation. In addition to negligence, the lawsuit asserted claims of negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Morris Hospital denies all allegations of wrongdoing and liability, while the plaintiffs believe the claims have merit. All parties agreed to a settlement, which was viewed as being in the best interests of all parties considering the risks and costs of continuing with the litigation. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 24, 2025. Benefits for class members will be paid after all costs and expenses have been deducted from the settlement fund, which includes up to $453,857.26 for attorneys’ fees, $2,000 service awards for each of the 13 named plaintiffs, and yet to be determined settlement administration costs, and attorneys’ expenses.

All class members may submit a claim for 24 months of comprehensive credit monitoring and identity theft protection services through CyEx Medical Shield Total. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. If a claim for losses is not submitted, class members may instead claim a pro rata cash payment, which is expected to be approximately $100, depending on the number of claims received. Further information can be found on the settlement website: https://www.morrishospitalsettlement.com/

Individuals wishing to object to or be excluded from the settlement have until September 29, 2025, to do so, and all claims must be submitted by October 28, 2025.

The post Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement appeared first on The HIPAA Journal.

Another healthcare provider has agreed to settle a class action lawsuit over its use of Meta Pixel and other third-party analytics and tracking tools on its website. Children’s Hospital Medical Center of Akron, doing business as Akron Children’s Hospital, was alleged to have added these tools to its website, but their use and implementation resulted in website visitors’ personally identifiable information being disclosed to Facebook and other third parties without the web visitors’ knowledge or consent.

On January 5, 2024, plaintiff John Doe filed a lawsuit – Doe v. Children’s Hospital Medical Center of Akron – against Akron Children’s Hospital in the Court of Common Pleas, Summit County, Ohio, individually, and as next friend of minors A.D., B.D., and C.D., and other similarly situated individuals. The plaintiff alleged that his own PII and that of his minor children and other individuals was disclosed to third parties such as Meta (Facebook), Google, and others without their knowledge or consent, resulting in an invasion of privacy.

In addition to invasion of privacy – intrusion upon seclusion, the lawsuit asserted claims of negligence, negligence per se, breach of confidence, unjust enrichment, and interception and disclosure of electronic communications. Akron Children’s Hospital denies all claims asserted in the lawsuit and all allegations of wrongdoing and liability; however, it attempted mediation to avoid further litigation costs and the uncertainty of a jury trial. While initial mediation efforts failed, after several months of negotiation, a settlement was agreed that was acceptable to all parties. The settlement agreement has now received preliminary approval from Judge Alison McCarty.

The settlement agreement addresses the harm caused by the alleged data disclosure, the potential for future harm, and economic losses incurred by the plaintiffs and the 313,700 class members. All class members will be entitled to claim a one-time cash payment of $19 and will be provided with two years of credit monitoring and identity theft protection services, which include dark web monitoring, lost wallet assistance, a $1 million identity theft insurance policy, and fully managed identity theft restoration and advisory services.

Akron Children’s Hospital will also pay attorneys’ fees, costs, and expenses, settlement administration costs, service awards for class members, and has agreed to injunctive relief, which includes the removal of pixels from its public-facing website, and a commitment not to add pixels to its patient portal or any forms on its public-facing website. Akron Children’s Hospital is permitted to use pixels that are essential for website functionality and may use HIPAA-compliant third-party companies in the future for analytics functions, provided a business associate agreement is in place.

The deadline for exclusion from the settlement, objection, and submitting a claim is September 29, 2025. The final approval hearing has been scheduled for October 10, 2025.

The post Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement appeared first on The HIPAA Journal.

Mount Sinai Health System, the largest hospital network in New York City, has agreed to a $5.3 million settlement to resolve allegations it violated federal and state laws by sharing the personal health information of website and patient portal users with Facebook without their knowledge or consent.

Legal action was taken against Mount Sinai Health over its use of the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal between October 2020 and October 2023. The tool can collect information about website users and transmit that information to Facebook. Mount Sinai Health has denied any wrongdoing and specifically denies that any medical information from either its website or patient portal was shared with Facebook.

The lawsuit – Cooper, et al., v. Mount Sinai Health System, Inc. – was filed in the United States District Court for the Southern District of New York by plaintiffs Ronda Cooper, Coral Fraser, David Gitlin, and Gilbert Manda, who alleged that their personally identifiable health information was being collected and shared with Facebook without their knowledge or consent due to the implementation of CAPI, in violation of the federal Electronic Communications Privacy Act and New York Deceptive Trade Practices. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

The lawsuit survived a motion to dismiss and proceeded to discovery. During discovery, the parties engaged in mediation, and a settlement was agreed in principle to bring the litigation to an end to avoid the cost and risk of a trial and related appeals, while giving appropriate benefits to class members. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

The settlement class consists of 1,314,147 individuals, and claims will be accepted from individuals who logged into their MyChart account via the mountsinai.org website between October 27, 2020, and October 27, 20-23. Under the terms of the settlement, Mount Sinai Health has agreed to establish a $5,256,588 settlement fund to cover legal costs and expenses and claims from class members. The plaintiffs’ attorneys will receive up to 35% of the settlement fund and reimbursement of court-approved attorneys’ expenses. Settlement administration costs of up to $200,000 will also be deducted, along with service awards of $2,500 per named plaintiff. The remainder of the settlement fund will be distributed to class members on a pro rata basis.

The deadline for objecting to the settlement, opting out, and filing a claim for benefits is October 14, 2025. The final approval hearing has been scheduled for October 24, 2025.

The post Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million appeared first on The HIPAA Journal.

Hot on the heels of the Blacksuit ransomware disruption comes another announcement about major enforcement action against a ransomware group. The U.S. Department of Justice has announced the seizure of $2.8 million in cryptocurrency from the suspected operator of the now-defunct Zeppelin ransomware group.

Six warrants were recently unsealed by federal prosecutors in the U.S. District Courts for the Eastern District of Virginia, the Central District of California, and the Northern District of Texas, which authorized the seizure. The funds were held in a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been indicted in Texas on charges of computer fraud and money laundering. A luxury vehicle and $70,000 in cash were also seized. The funds are suspected of being obtained from companies attacked with Zeppelin ransomware between 2019 and 2022.

While Zeppelin was not the most prolific ransomware operation, the group was responsible for attacks on many U.S. entities, especially those in healthcare and IT, typically targeting vulnerabilities in MSP software. Zeppelin was a ransomware-as-a-service (RaaS) operation that paid affiliates to conduct attacks for a cut of any ransom payments they generated. The group engaged in data theft, file encryption, and extortion, demanding payment for the decryption keys and to ensure data deletion.

The proceeds from the attacks were laundered in a number of ways, such as exchanging the funds for cash and depositing them in structured cash deposits. ChipMixer, a dark web cryptocurrency mixing service, was also used to hide the origin of the cryptocurrency. Through ChipMixer, funds were cashed out in untraceable chips that could be paid into clean cryptocurrency wallets. ChipMixer was taken down in an international law enforcement operation in 2023 that was coordinated by Europol. The operation resulted in the seizure of $46.5 million in cryptocurrency. According to the DOJ, some of the funds were

While the Blacksuit operation was conducted against an active ransomware group, the latest announcement shows that action can and will be taken against cybercriminals for their historic crimes. This case is being handled by Trial Attorney Benjamin Bleiberg of the Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Jongwoo “Daniel” Chung for the Northern District of Texas.

Since 2020, CCIPS has obtained court orders to seize more than $350 million in victim funds and has secured the convictions of more than 180 cybercriminals. Along with partners such as the FBI, CCIPS has disrupted the operations of many ransomware groups and has prevented payments of over $200 million by victims of ransomware groups.

The post $2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare appeared first on The HIPAA Journal.

A federal judge has ordered the U.S. Department of Health and Human Services (HHS) to stop sharing the data of Medicaid enrollees with Immigration and Customs Enforcement (ICE) at the Department of Homeland Security for immigration enforcement purposes.

The Medicaid program provides health insurance for individuals with limited income and resources, such as low-income adults, children, pregnant women, elderly adults, and people with disabilities. There are currently around 79 million Medicaid enrollees in the United States. Anyone living in the United States illegally is not permitted to enroll in the federal Medicaid program, although seven states permit non-U.S. citizens to participate in their state Medicaid programs, but do not bill the federal government for the costs.

In June 2025, under the direction of HHS Secretary Robert F. Kennedy Jr., the HHS’s Centers for Medicare and Medicaid Services (CMS) started sharing the personal data of Medicaid recipients with ICE under a new data-sharing agreement. Staff at the CMS attempted to block the data transfers but were overruled by Secretary Kennedy’s advisors. ICE has had a 12-year policy of not using Medicaid data for enforcement purposes, and CMS has previously restricted the use of Medicaid data to the administration of its healthcare programs.

The HHS maintains that the access is being provided as part of the Trump Administration’s push to rid the country of illegal aliens. The data provided by the CMS provides ICE agents with identity and location information to allow those individuals to be found by enforcement officers, and stop federal funds intended for law-abiding Americans from being used to pay for Medicaid benefits for illegal aliens.

When the decision to share Medicaid data with ICE came to light in June, a coalition of 20 state attorneys general took legal action to prevent the HHS from sharing Medicaid data with ICE; however, a further agreement was entered into in July, which provided DHS with daily access to the Medicaid data stream. The shared data includes names, addresses, birth dates, ethnicities, and Social Security numbers, which may not be downloaded, but can be viewed by ICE officials until September 9, 2025, between 9 a.m. and 5 p.m.

The state attorneys general argued that the sharing of Medicaid data with DHS was in violation of HIPAA and threatened to undermine the Medicaid program. “The move to use Medicaid data for immigration enforcement upended longstanding policy protections without notice or consideration for the consequences,” said California Attorney General Rob Bonta. “As the president continues to overstep his authority in his inhumane anti-immigrant crusade, this is a clear reminder that he remains bound by the law.”

Judge Vince Chhabria, a District Court Judge in the Northern District of California, sided with the state attorneys general and ruled that the HHS must stop sharing Medicaid data with ICE for immigration enforcement purposes that was obtained from the 20 states that participated in the lawsuit. The preliminary injunction will remain in place until 14 days after HHS and DHS complete a reasoned decision-making process that complies with the Administrative Procedures Act, or the litigation is concluded.

In his ruling granting a preliminary injunction, Judge Chhabria said, “Using CMS data for immigration enforcement threatens to significantly disrupt the operation of Medicaid—a program that Congress has deemed critical for the provision of health coverage to the nation’s most vulnerable residents.” While he wrote that there is nothing categorially unlawful about the DHS obtaining data on individuals obtained from government agencies such as the HHS for immigration enforcement purposes, since 2013, ICE has had a well-publicized policy against using Medicaid data for its enforcement activities, and the CMS has a long-standing policy of not sharing patients’ personal data for reasons other than those related to its healthcare programs, and even states so on its website.

“Given these policies, and given that the various players in the Medicaid system have relied on them, it was incumbent upon the agencies to carry out a reasoned decisionmaking process before changing them,” wrote Chhabria in his ruling. “The record in this case strongly suggests that no such process occurred.”

The post Federal Judge Blocks HHS from Sharing Medicaid Data with ICE appeared first on The HIPAA Journal.

A District Court judge has recently given preliminary approval of an $8.5 million settlement to resolve a consolidated class action complaint against the HIPAA business associate Nuance Communications over a May 2023 data breach.

Nuance Communications is a Microsoft-owned computer software company based in Burlington, Massachusetts. The company provides speech recognition solutions and is a vendor to the healthcare industry.  Its AI-powered healthcare software solutions are used by physicians and radiologists to deliver personalized and connected experiences to improve care management.

Nuance used Progress Software’s MOVEit Transfer software solution for file transfers. In May 2023, a hacking group known to target file transfer solutions found and exploited a zero-day vulnerability that allowed access to data stored within the MOVEit environment.  Nuance has previously confirmed that 13 of its healthcare provider clients were affected. The breached data included names, addresses, email addresses, birth dates, and information related to health records and health insurance. Nuance said 1,225,054 individuals were affected. In total, the breach involved unauthorized access to the personal data of approximately 93 million individuals.

Many class action lawsuits were filed in relation to the MOVEIt data breach, six of which were filed against Nuance Communications and were consolidated into a single complaint – In Re: MOVEit Customer Data Security Breach Litigation – as the lawsuits had overlapping claims. The lawsuits alleged that Nuance Communications was negligent by failing to implement appropriate safeguards to ensure all data within the MOVEit system was protected against unauthorized access.

Nuance denies liability for all claims and maintains that there was no wrongdoing, has not violated anyone’s privacy, nor breached any contract; however, it chose to settle the litigation. Under the terms of the settlement, Nuance has agreed to create an $8.5 million settlement fund to cover attorneys’ fees (up to $2,833,333.33), attorneys’ expenses, settlement administration and notice costs ($550,000), and class representative awards ($2,500 per named plaintiff). After those costs have been deducted from the settlement, the remainder will be used to pay for benefits to class members.

Under the terms of the settlement, class members may submit a claim for reimbursement of out-of-pocket expenses and losses linked to the data breach. Claims may be submitted for ordinary losses up to a maximum of $2,500 per class member, and up to $10,000 for reimbursement of extraordinary losses. Claims for losses can include up to 4 hours of lost time at $25 per hour.

Alternatively, class members may submit a claim for a cash payment, which is expected to be appropriately $100 per class member, although it is subject to a pro rata adjustment depending on the number of claims received. All class members are entitled to claim 2 years of credit monitoring and identity theft protection, and insurance services.

The Honorable Allision D. Burroughs of the U.S. District Court for the District of Massachusetts has recently given preliminary approval of the settlement, and the final approval hearing is scheduled for March 18, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 24, 2025, and the deadline for submitting claims is 30 days later.  More than 100 other lawsuits filed over the MOVEit data breach are pending. Some of the other affected companies have already announced settlements.

The post Nuance Communications Settles MOVEit Lawsuit for $8.5 Million appeared first on The HIPAA Journal.