Akumin, a Florida-based provider of outpatient radiology and oncology services with locations in more than 20 U.S. states, has agreed to settle a class action lawsuit stemming from an October 2023 cybersecurity incident.

Akumin identified suspicious network activity on October 11, 2023, and confirmed that a threat actor accessed its network on October 11, 2023, and used ransomware to encrypt files.  The files potentially accessed and/or copied by the threat actor included patient and employee information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, Medicare/Medicaid numbers, financial account information, health information, occupational health information, medical images, biometric information, billing and claims information, health insurance information, electronic signatures and other sensitive data.

The security incident was announced by Akumin on its website on October 12, 2023, and the data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 7,127 individuals.  Notification letters were sent to those individuals on December 29, 2023, and around a year later, on December 23, 2024, notification letters were mailed to the further affected individuals.

Several class action lawsuits were filed against Akumin over the data breach, which were consolidated into a single lawsuit – Gina Letizio, et al. v. Akumin Operating Corp. – in the Circuit Court of the 17th Judicial Court in and for Broward County, Florida. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment, and declaratory judgment. Akumin denies any wrongdoing and maintains there is no liability but chose to settle the lawsuit to avoid the litigation costs and expenses, distractions, burden, and disruption to its business operations associated with continuing with the litigation. The plaintiffs believe their claims are valid but agreed to settle the lawsuit for similar reasons.

Under the terms of the settlement, Akumin has agreed to establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for each of the named plaintiffs. After those costs have been paid, the remaining funds will be used to pay benefits to the class members. All class members are entitled to submit a claim for a cash payment to reimburse them for documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member. In addition to the cash payment, class members may also claim one year of free medical data monitoring services.

The deadline for objection to and exclusion from the settlement is November 30, 2025, and claims must be submitted by the same date. The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for December 15, 2025. Further information can be found on the settlement website, https://akumindataincidentsettlement.com/

The post Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit appeared first on The HIPAA Journal.

Eastern Radiologists in North Carolina has agreed to pay $3.25 million to settle a class action lawsuit over a 2023 data breach that was reported to the HHS’ Office for Civil Rights as involving the protected health information of 886,746 patients. The Eastern Radiologists data breach that prompted the class action lawsuit was detected on November 24, 2023. The investigation confirmed that a threat actor had access to its network from November 20, 2023, to November 24, 2023, and copied files containing patient information. Data compromised in the incident included names, contact information, Social Security numbers, driver’s license numbers, financial account numbers, insurance information, procedure information, diagnoses, and imaging results.

Several class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, they were consolidated into a single lawsuit, Powers et al. v. Eastern Radiologists, Inc., in the General Court of Justice, Superior Court Division, in Pitt County, North Carolina. The consolidated class action complaint alleges that Eastern Radiologists failed to implement reasonable and appropriate cybersecurity measures, did not adhere to FTC guidelines on cybersecurity or follow industry standards, and that its conduct violated the Health Insurance Portability and Accountability (HIPAA). In addition to negligence, the lawsuit asserted claims of negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and violations of North Carolina’s Unfair and Deceptive Trade Practices Act.

Eastern Radiologists deny all claims and contentions in the lawsuit and maintain that there was wrongdoing. After considering the risks associated with the litigation and the costs of continuing with the lawsuit, all parties agreed to settle the litigation. Under the terms of the settlement, Eastern Radiologists will establish a $3,250,000 settlement fund out of which attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs will be deducted. The remainder of the fund will be used to pay benefits to the class members.

All class members may claim one year of medical account monitoring services and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. The cash payments for losses have been capped at $200,000 and will be paid pro rata should that total be reached. Alternatively, class members may claim a cash payment, which may be subject to a pro rata increase or decrease.

The deadline for exclusion and objection is October 28, 2025. Claims must be submitted by December 1, 2025, and the final approval hearing has been scheduled for December 15, 2025. Claims will be paid between 30 and 60 days after the final approval hearing.

The post Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement appeared first on The HIPAA Journal.

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties.

Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements.

On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used tracking tools on the hospital website which collected and transmitted protected health information to Meta and other third parties without the knowledge or consent of website users. The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, invasion of privacy-disclosure of private facts, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Washington Consumer Protection Act and the Washington Privacy Act.

The defendant denies any wrongdoing or liability and believes it would prevail at summary judgment; however, after taking into account the costs, time, and distraction of continuing with the litigation and the uncertainty and risks associated with any litigation, it agreed to engage in settlement discussions. A settlement has now been agreed that is acceptable to all parties, and the settlement has received preliminary approval from the court. Under the terms of the settlement, Skagit Regional Health has agreed to cover the cost of attorneys’ fees and expenses, settlement administration costs, class representative awards, and a cash payment of $20 for all class members.

The class consists of individuals who were patients of Skagit Regional Hospital who navigated to, signed up for, logged in, or used its patient portal between May 1, 2021, and September 5, 2025. Individuals wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims for cash payments must be submitted by November 3, 2025, and the final fairness hearing has been scheduled for November 21, 2025. Further information can be found on the settlement website: https://www.sutherpixelsettlement.com/

The post Skagit Regional Health Settles Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

EyeMed Vision Care has agreed to pay $5 million to settle a class action lawsuit stemming from a June 2020 data breach.  The data breach was identified by EyeMed Vision Care on July 1, 2025, when suspicious activity was observed in an employee’s email account. An employee had responded to a phishing email, allowing their email account to be accessed on June 24, 2020. Between June 24, 2020, and July 1, 2020, the threat actor used the account to send around 2,000 phishing emails.

The investigation revealed the account contained emails dating back 6 years. Those emails included the personal and protected health information of 2.1 million individuals. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information.

The first class action lawsuit in response to the data breach was filed in January 2021 by plaintiff Chandra Tate, which was followed by a second class action lawsuit around a week later. The two lawsuits were consolidated – Tate, et al. v. EyeMed Vision Care, LLC – as they had overlapping claims. The lawsuits asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of California’s unfair competition law, the California Confidentiality of Medical Information Act, and the California Consumer Privacy Act.

EyeMed Vision Care filed a motion to dismiss; however, only the negligence claim was dismissed, and all other claims were allowed to proceed. EyeMed Vision Care denies all claims and contentions in the lawsuit, maintains there was no wrongdoing, and denies that it has any liability; however, it has agreed to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation.

In June 2024, all parties engaged in mediation, and a settlement was ultimately agreed upon that was acceptable to all parties. The settlement has now received preliminary approval from Judge Douglas R. Cole of the U.S. District Court for the Southern District of Ohio, Western Division. Under the terms of the settlement, EyeMed Vision Care will establish a $5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards. The remainder of the settlement fund will be used to pay benefits to the class members.

Class members may choose to receive a $50 cash payment, which may be increased or decreased depending on the number of valid claims received.  In addition, a claim may be submitted for up to four hours of lost time at $25 per hour (max $100) for time spent dealing with issues associated with the data breach. A claim may also be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach, up to a maximum of $10,000 per class member, including any claim for lost time. Claims are subject to a pro rata reduction should the $5,000,000 cap on payments be reached.

EyeMed has also agreed to make changes to its business practices, including enhancing authorization requirements, providing additional security awareness training to the workforce, updating its internal password reset requirements, conducting audits for weak passwords, enhancing its multifactor authentication requirements, shortening the mailbox data retention period, and engaging a third-party vendor to conduct an updated HIPAA risk assessment. Individuals wishing to object to or exclude themselves from the settlement must do so by November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final fairness hearing has been scheduled for January 7, 2026.

This was not the only EyeMed Vision Care settlement to be reached over the data breach. In January 2022, the New York Attorney General announced that EyeMed Vision Care had agreed to pay a $600,000 fine to resolve alleged violations of New York General Business Law, and later that year, the New York State Department of Financial Services (DFS) fined EyeMed Vision Care $4.5 million for alleged violations of the DFS Cybersecurity Regulation. In 2023, a multi-state data breach investigation involving the Oregon, New Jersey, Florida, and Pennsylvania Attorneys General was settled with a $2.5 million penalty. This $5 million class action settlement takes the settlement total up to $12,600,000.

The post EyeMed Vision Care Agrees to Pay $5 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Individuals who used SSM Health’s MyChart patient portal when tracking tools were active are entitled to claim a cash payment and a 12-month membership to a digital privacy and identity protection service to compensate them for having their personal and health data disclosed to third parties such as Meta and Google.

The settlement resolves all claims in the lawsuit, Jane Doe v. SSM Health Care Corporation, d/b/a SSM Health, which was filed in the Circuit Court for the City of St. Louis in the State of Missouri on December 5, 2022. The lawsuit alleged that SSM Health added Meta Pixel and other third-party tracking technologies on its MyChart patient portal, which collected and transmitted protected health information to third-party tracking vendors, including their status as patients, their physicians, health conditions, treatments, facilities visited, and other sensitive data, without their knowledge or consent.

Tracking tools are used extensively across the internet and track user activity on websites. The data collected by these tools can be used for advertising and marketing purposes. In healthcare, if these tools are used on authenticated web pages such as patient portals, they can collect sensitive health data and transmit that information to technology vendors. Such disclosures violate HIPAA unless a business associate agreement is obtained or valid HIPAA authorizations.

The plaintiff alleged that SSM Health’s use of these tools amounted to negligence. The lawsuit also asserted claims of invasion of privacy – intrusion upon seclusion, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud and Deceptive Practices Act. SSM Health denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to bring the litigation to an end to avoid the costs, risks, and uncertainty of a jury trial. Class counsel and the plaintiff believe the settlement is fair.

Under the terms of the settlement, users who logged into the SSM Health MyChart patient portal between July 6, 2020, and February 10, 2023, when tracking tools were installed, are entitled to claim a 12-month membership to the CyEx Privacy Shield Pro service, which provides dark web monitoring, data broker opt-out, and identity protection services. In addition, class members may submit a claim for a cash payment of $31.50.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 21, 2025. Individuals wishing to opt out of or exclude themselves from the settlement have until October 27, 2025, to do so, and claims must be submitted by November 25, 2025. Further information can be found on the settlement website: https://ssmhealthdatasettlement.com/

The post SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit appeared first on The HIPAA Journal.