University of Tennessee Medical Center and Margaret Mary Community Hospital have both agreed to settle class action lawsuits over the use of tracking tools such as Meta Pixel on their websites.

University of Tennessee Medical Center

University of Tennessee Medical Center (UTMC) in Knoxville, Tennessee, has agreed to a settlement to resolve a class action lawsuit that alleged UTMC violated the Tennessee Consumer Protection Act by adding tracking technologies to its website, resulting in the unauthorized disclosure of patients’ personally identifiable health information to Meta, Google, and other third parties.

The lawsuit – Geoffrey Cavalier v. University Health Systems, Inc. d/b/a The University of Tennessee Medical Center – was filed in the Chancery Court for Knox County, Tennessee, and alleged that UTMC used tracking technologies such as Meta Pixel on its websites between January 1, 2015, and September 30, 2023. The plaintiffs allege that the tracking technologies collected and transmitted their personally identifiable information (PII) and protected health information (PHI) to third parties without their knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, breach of implied contract, unjust enrichment, and violations of the Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101, et seq., and Tenn. Code Ann. § 39-13-601. UTMC denies all claims in the lawsuit, maintains there was no wrongdoing, and contends that no tracking code was added to its patient portal and no protected health information was disclosed to any third party via the utmedicalcenter.org website. After considering the costs and risks associated with continuing with the litigation and a jury trial, UTMC agreed to settle the lawsuit. The plaintiffs believe that the settlement is fair, reasonable, and adequate, and settling is in the best interests of all class members.

All class members, individuals who had a patient portal account between January 1, 2015, and September 30, 2023, may submit a claim for a cash payment of $25.00. All individuals who submit a timely and valid claim for a cash payment will also be provided with a complimentary Privacy Shield Pro membership, which includes dark web monitoring, a VPN, data broker opt-out, and other privacy services. The deadline for submitting a claim is December 9, 2025, and the final fairness hearing has been scheduled for December 8, 2025.

Margaret Mary Community Hospital

Margaret Mary Community Hospital in Batesville, Indiana, has settled a class action lawsuit that alleged unlawful use of tracking technologies on its website. The lawsuit claims that Meta Pixel and other tracking tools were used on its website between 2020 and 2023 without users’ knowledge or permission. The lawsuit alleges that adding those tools to the website caused patients’ personally identifiable information to be transferred to Meta and others.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the Indiana Deceptive Consumer Sales Act. Margaret Mary Community Hospital disagrees with all claims and contentions in the lawsuit and maintains that there was no wrongdoing; however, a settlement was agreed to avoid the costs and risks associated with a trial and related appeals.

All class members, individuals who logged into the Margaret Mary Community Hospital patient portal between January 1, 2020, and December 31, 2023, may claim a cash payment of $25.00 and a complimentary membership to a Privacy Shield Pro product. Individuals wishing to opt out of or object to the settlement must do so by November 15, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits appeared first on The HIPAA Journal.

A settlement has been agreed to resolve a class action lawsuit against the Louisiana health system, Willis-Knighton Medical Center. The litigation stems from the use of tracking technologies on its public-facing website.

Several lawsuits were filed against Willis-Knighton Medical Center over the use of tracking tools on its website and patient portal, which are alleged to have caused unauthorized transmissions of personally identifiable, non-public information to third parties such as Google and Facebook. The lawsuits were consolidated in a single action – Jacqueline Horton, et al. v. Willis-Knighton Medical Center – which was heard in the 10th Judicial District Court for Natchitoches Parish in Louisiana.

Tracking technologies such as pixels are extensively used on the Internet, including by many healthcare providers. The problem is that these tools may collect sensitive data from website visitors, including information classed as protected health information under HIPAA. That information may be transmitted to third parties unauthorized to receive the information. One study found that more than 99% of hospitals had added these tools to their websites.

Willis-Knighton Medical Center denies the allegation and specifically denies that any medical information from its website or patient portal was shared with Facebook or Google; however, to avoid the cost and distraction of continuing with the litigation, and the uncertain outcome of a trial, the decision was taken to settle the litigation.

Under the terms of the settlement, class members are entitled to one year of CyEx Privacy Shield Pro, a privacy protection product, and may also claim a cash payment. The cash payments differ depending on the subclass. Individuals who used the “request an appointment” feature may claim a cash payment of $25, members of the InteliChart settlement class may claim a cash payment of $38, and members of the Medtech settlement class may claim a cash payment of $15.

Willis-Knighton Medical Center has also agreed not to use 16 specified digital analytics tools on its website and patient portal for a period of two years from the date of final approval of the settlement. The list includes Google DoubleClick, Google Ads, Meta, Amazon, TikTok, Pinterest, and TheTradeDesk.

The deadline for objection to and exclusion from the settlement is November 18, 2025. Claims must be submitted by December 18, 2025, and the final approval hearing has been scheduled for January 22, 2026.

The post Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook).

The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals.

Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley Hospital Medical Center has agreed to establish a $600,000 settlement fund to cover attorneys’ fees, administrative expenses, service awards, and benefits to the class members.

After all fees and expenses have been deducted from the settlement fund, the remainder will be paid to class members as a pro rata cash payment. Class members are California residents who visited the Pomona Valley Hospital Medical Center website and logged into the patient portal between January 1, 2019, and December 31, 2022.

The deadline for objection to and exclusion from the settlement is December 9, 2025, and the final fairness hearing has been scheduled for January 5, 2026. Class members will be contacted directly about the settlement and may choose how they receive their cash payment (check, PayPal, Venmo, etc.), or may do so via the settlement website: https://pvhmcsettlement.com/

The post Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit appeared first on The HIPAA Journal.

Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.

Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.

A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.

The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.

The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.

The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.

The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations appeared first on The HIPAA Journal.

Therapeutic Health Services, a Seattle, WA-based provider of opioid addiction treatment, mental health counseling, and rehabilitation for alcohol and drug addiction recovery, has agreed to settle class action litigation over a February 2024 hacking incident that exposed the protected health information of more than 14,000 patients.

The incident was detected on February 26, 2024, and the investigation confirmed that patients’ names, dates of birth, Social Security numbers, and health information were compromised in the incident. The Hunters International threat group claimed responsibility for the cyberattack. Four class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kersey, et al., v. Therapeutic Health Services – in the Superior Court of the State of Washington, King County.

The lawsuit alleged that Therapeutic Health Services failed to implement appropriate safeguards to protect sensitive data on its network, resulting in the exposure and theft of the sensitive information of current and former patients and employees. Therapeutic Health Services maintains that there was no wrongdoing and denies all allegations and all liability, does not believe that the class members suffered any damage, nor that the action satisfies the requirements to be certified or tried as a class action lawsuit. After determining that the litigation would likely be protracted and expensive, the decision was taken to settle the litigation. The plaintiffs believe that the settlement that has been negotiated is fair and in the best interests of all class members.

Under the terms of the settlement, Therapeutic Health Services has agreed to establish a $790,000 settlement fund to cover attorneys’ fees and expenses, service awards, settlement administration costs, and class members’ claims. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may be submitted for a cash payment of up to $100, which may be adjusted pro rata depending on the number of valid claims received. All class members may also claim three years of three-bureau credit monitoring services.

Claims must be submitted by January 13, 2026, and the final fairness hearing has been scheduled for January 23, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 15, 2025.  Further information can be found on the settlement website, https://www.thsdatasettlement.com/

The post Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.

A $19,375,000 settlement has been proposed to resolve a consolidated class action lawsuit against the electronic health records and practice management software provider NextGen Healthcare over a 2023 ransomware attack that affected more than one million individuals.

The attack was detected on April 28, 2023, and the first complaint was filed on May 5, 2023, in the United States District Court for the Northern District of Georgia, Atlanta Division. Thereafter, more than a dozen further lawsuits were filed, which were consolidated into a single action in the same court. The consolidated lawsuit alleged negligence and negligence per se for failing to implement appropriate safeguards to protect sensitive patient information, invasion of privacy/intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, unjust enrichment, and breach notification failures, in violation of federal and state laws, including the Official Code of Georgia Annotated (O.C.G.A).

NextGen Healthcare denies all claims and contentions in the lawsuit and maintains there was no wrongdoing or liability. NextGen Healthcare moved to have the lawsuit dismissed; however, the lawsuit was allowed to proceed (see below). Following mediation on June 25, 2025, and August 6, 2025, and after all parties considered the expense and length of proceedings to continue with the litigation, and the risks associated with doing so, the decision was taken to settle the lawsuit.

Under the terms of the settlement, NextGen Healthcare has agreed to establish a $19,375,000 settlement fund to cover attorneys’ fees and expenses, notice costs, settlement administration costs, service awards, and benefits for class members. Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $7,500 per class member and up to $250 for lost time (a maximum of 10 hours at $25 per hour). Alternatively, class members may choose to receive a cash payment, which is expected to be $50, but will be subject to a pro rata adjustment. Class members who were residents of California at the time of the data breach may claim an alternative cash payment of $150.

In addition to the above benefits, class members may also claim three years of credit monitoring and identity theft protection services, and should there be any funds remaining in the settlement fund, they will be used to extend the identity and credit monitoring services or will be distributed cy pres to a non-profit cybersecurity organization. The settlement now awaits approval from the court.

August 6, 2024: NextGen Class Action Data Breach Lawsuit Allowed to Proceed

A class action lawsuit against the electronic health record (EHR) and practice management software provider, NextGen Healthcare, over a 2023 ransomware attack has been allowed to proceed.

Hackers had access to NextGen’s computer systems from March 29, 2023, to April 14, 2023, during which time they exfiltrated a huge volume of sensitive data from the NextGen Office system. The data breach was reported to the Maine Attorney General on May 5, 2023, as affecting 1,049,375 individuals. The ransomware attack was the second to be experienced by NextGen in just a few months, with an earlier Blackcat ransomware attack occurring in January 2023.

It is not uncommon for multiple ransomware attacks to be experienced. A recent report from the cybersecurity firm Semperis suggests that three-quarters of companies that have experienced a ransomware attack were attacked multiple times. Threat actors often deploy malware in their attacks, which allows them to conduct further attacks weeks or months later.

More than a dozen lawsuits were filed against NextGen following the data breach. The plaintiffs sought compensatory, statutory, and punitive damages, additional credit monitoring services, and injunctive relief, requiring NextGen to implement additional security measures to ensure the privacy and security of the data it stores. The lawsuits were consolidated into a single lawsuit – Damon X. Miller v. NextGen Healthcare Inc. – in the U.S. District Court for the Northern District of Georgia.

The consolidated lawsuit alleges NextGen could have prevented the data breach if it had implemented reasonable and appropriate security measures, yet failed to do so, even though it had experienced a ransomware attack in January 2023. The consolidated lawsuit asserted 25 claims, including negligence, unjust enrichment, intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, and violations of multiple state laws in California, Georgia, Illinois, Iowa, Maine, New Jersey, New Mexico, New York, and Pennsylvania.

NextGen attempted to have 22 of the 25 claims dismissed for failure to state a claim. Most of the claims were dismissed in their entirety by U.S. District Judge Thomas Thrash; however, the motion to dismiss five counts was denied, which gives the plaintiffs the green light to proceed with the action. The motion to dismiss the counts of breach of fiduciary duty, litigation expenses, violation of the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), and violation of the California Consumer Privacy Act (CCPA) was denied in entirety, and the motion to dismiss the count of violation of the California Unfair Competition Law (UCL) was denied with respect to one of the plaintiffs and a putative subclass.

NextGen had argued that, as a service provider to healthcare organizations, it did not owe a fiduciary duty to the plaintiffs, as it had no direct relationship with them and the mere receipt and storage of confidential data does not create a fiduciary relationship. Judge Thrash disagreed, as in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law. In his ruling, Judge Thrash did not state whether the circumstances in the case rose to that level, as that was not a question that could be resolved through a motion to dismiss.

Judge Thrash ruled that the plaintiffs had plausibly stated a claim for litigation expenses premised on bad faith, and the motion to dismiss the GUDTPA claim was denied as NextGen’s argument was dependent on “a strained reading of an unadopted Report and Recommendation.” The CCPA claim was allowed to proceed, as while NextGen argued that it is a service provider under CCPA, the plaintiffs stated otherwise, and Judge Thrash accepted those allegations as true, at least at this stage of the litigation. The motion to dismiss the California Unfair Competition Law claim was denied, as the defendant was alleged to have accepted payment to securely keep data and failed to take reasonable security measures, and that is sufficient to state a claim for restitution under UCL.

The post $19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information.

The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and health insurance information had been exposed and potentially stolen.

Two class action lawsuits were filed in response to the breach, which were consolidated into a single complaint – In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation – in the Court of Common Pleas for Hamilton County, Ohio. The consolidated complaint alleged the defendant had failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all claims of wrongdoing and liability.

All parties attended mediation, and while a settlement was not agreed upon, following months of continued negotiations, a settlement in principle was agreed to resolve the litigation that was acceptable to all parties. The settlement agreement has recently received preliminary approval from the court. Under the terms of the settlement, GCBHS has agreed to pay a maximum of $850,000 to resolve the litigation, inclusive of attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. There are approximately 61,850 individuals in the settlement class.

Class members may submit a claim for reimbursement of documented, unreimbursed losses up to a maximum of $5,000 per class member. A pro rata cash payment can be claimed, which is expected to be in the range of $60 to $120. Additionally, all class members are entitled to claim a one-year subscription to the three-bureau CyEx Medical Shield service. The deadline for objection to and exclusion from the settlement is November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final approval hearing has been scheduled for January 14, 2026.

The post Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation appeared first on The HIPAA Journal.