First Choice Dental, a network of 12 dental clinics in Dane and Madison counties in Wisconsin, experienced a ransomware attack on October 22, 2023. A settlement has recently been agreed to resolve litigation stemming from the data breach.

As reported by The HIPAA Journal in January 2024, First Choice Dental issued an interim notification about the incident, alerting patients to the exposure of some of their protected health information. At the time of issuing, the investigation into the cyberattack was ongoing. The HHS’ Office for Civil Rights was provided with an interim total of 1,000 affected individuals.

First Choice Dental explained that unauthorized network activity was first identified on October 22, 2023, but it had yet to be determined how many individuals had been affected or the types of data involved. On July 12, 2024, 9 months after the attack, individual notification letters started to be mailed. Patients were told that the compromised information included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/government ID numbers, credit/debit card numbers, and health information. The HHS’ Office for Civil Rights breach portal still lists the data breach as affecting 1,000 individuals, although the breach was far more extensive than the breach portal suggests, affecting more than 159,000 individuals.

The first class action lawsuit over the data breach was filed by plaintiff Kelly Gorder on July 17, 2024, in the Dane County Circuit Court of the State of Wisconsin against FCDG Management, LLC, d/b/a First Choice Dental. A further six lawsuits were subsequently filed in response to the data breach, which were consolidated in a single action in the same court – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.

According to the consolidated class action complaint, the data breach could have been prevented if First Choice Dental had implemented reasonable and appropriate safeguards and followed industry-standard data security practices. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, and violations of Wisconsin Statute § 146.82.

First Choice Dental denies the claims and contentions in the lawsuit and maintains there was no wrongdoing and no liability, and on January 6, 2025, sought to have the class action lawsuit dismissed in its entirety. That attempt was partially successful, with the court dismissing the claims of invasion of privacy and unjust enrichment, but the other claims were allowed to proceed. After considering the time and expense of litigation and the uncertainty of a trial and related appeals, all parties engaged in mediation on July 1, 2025, and the principal terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court.

The settlement class consists of 159,145 individuals who were notified about the data breach. Those individuals are entitled to claim a three-year membership to the CyEx Medical Shield Monitoring product, which includes a $1 million identity theft insurance policy. In addition, class members may claim one of two benefits. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach up to a maximum of $6,000 per class member. Alternatively, a one-time cash payment of $50 may be claimed.

Claims will be paid after settlement administration costs, attorneys’ fees and expenses, and service awards have been paid, along with $225,000 of security improvements. The total settlement costs, inclusive of the above, have been capped at $1,225,000. Claims will be prorated downward if that total is exceeded.

The deadline for submitting a claim is January 28, 2026, and the final fairness hearing has been scheduled for January 12, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 29, 2025. Further information can be found on the settlement website: https://www.fcdgdatasettlement.com/

The post First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

University of Tennessee Medical Center and Margaret Mary Community Hospital have both agreed to settle class action lawsuits over the use of tracking tools such as Meta Pixel on their websites.

University of Tennessee Medical Center

University of Tennessee Medical Center (UTMC) in Knoxville, Tennessee, has agreed to a settlement to resolve a class action lawsuit that alleged UTMC violated the Tennessee Consumer Protection Act by adding tracking technologies to its website, resulting in the unauthorized disclosure of patients’ personally identifiable health information to Meta, Google, and other third parties.

The lawsuit – Geoffrey Cavalier v. University Health Systems, Inc. d/b/a The University of Tennessee Medical Center – was filed in the Chancery Court for Knox County, Tennessee, and alleged that UTMC used tracking technologies such as Meta Pixel on its websites between January 1, 2015, and September 30, 2023. The plaintiffs allege that the tracking technologies collected and transmitted their personally identifiable information (PII) and protected health information (PHI) to third parties without their knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, breach of implied contract, unjust enrichment, and violations of the Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101, et seq., and Tenn. Code Ann. § 39-13-601. UTMC denies all claims in the lawsuit, maintains there was no wrongdoing, and contends that no tracking code was added to its patient portal and no protected health information was disclosed to any third party via the utmedicalcenter.org website. After considering the costs and risks associated with continuing with the litigation and a jury trial, UTMC agreed to settle the lawsuit. The plaintiffs believe that the settlement is fair, reasonable, and adequate, and settling is in the best interests of all class members.

All class members, individuals who had a patient portal account between January 1, 2015, and September 30, 2023, may submit a claim for a cash payment of $25.00. All individuals who submit a timely and valid claim for a cash payment will also be provided with a complimentary Privacy Shield Pro membership, which includes dark web monitoring, a VPN, data broker opt-out, and other privacy services. The deadline for submitting a claim is December 9, 2025, and the final fairness hearing has been scheduled for December 8, 2025.

Margaret Mary Community Hospital

Margaret Mary Community Hospital in Batesville, Indiana, has settled a class action lawsuit that alleged unlawful use of tracking technologies on its website. The lawsuit claims that Meta Pixel and other tracking tools were used on its website between 2020 and 2023 without users’ knowledge or permission. The lawsuit alleges that adding those tools to the website caused patients’ personally identifiable information to be transferred to Meta and others.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the Indiana Deceptive Consumer Sales Act. Margaret Mary Community Hospital disagrees with all claims and contentions in the lawsuit and maintains that there was no wrongdoing; however, a settlement was agreed to avoid the costs and risks associated with a trial and related appeals.

All class members, individuals who logged into the Margaret Mary Community Hospital patient portal between January 1, 2020, and December 31, 2023, may claim a cash payment of $25.00 and a complimentary membership to a Privacy Shield Pro product. Individuals wishing to opt out of or object to the settlement must do so by November 15, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits appeared first on The HIPAA Journal.

A settlement has been agreed to resolve a class action lawsuit against the Louisiana health system, Willis-Knighton Medical Center. The litigation stems from the use of tracking technologies on its public-facing website.

Several lawsuits were filed against Willis-Knighton Medical Center over the use of tracking tools on its website and patient portal, which are alleged to have caused unauthorized transmissions of personally identifiable, non-public information to third parties such as Google and Facebook. The lawsuits were consolidated in a single action – Jacqueline Horton, et al. v. Willis-Knighton Medical Center – which was heard in the 10th Judicial District Court for Natchitoches Parish in Louisiana.

Tracking technologies such as pixels are extensively used on the Internet, including by many healthcare providers. The problem is that these tools may collect sensitive data from website visitors, including information classed as protected health information under HIPAA. That information may be transmitted to third parties unauthorized to receive the information. One study found that more than 99% of hospitals had added these tools to their websites.

Willis-Knighton Medical Center denies the allegation and specifically denies that any medical information from its website or patient portal was shared with Facebook or Google; however, to avoid the cost and distraction of continuing with the litigation, and the uncertain outcome of a trial, the decision was taken to settle the litigation.

Under the terms of the settlement, class members are entitled to one year of CyEx Privacy Shield Pro, a privacy protection product, and may also claim a cash payment. The cash payments differ depending on the subclass. Individuals who used the “request an appointment” feature may claim a cash payment of $25, members of the InteliChart settlement class may claim a cash payment of $38, and members of the Medtech settlement class may claim a cash payment of $15.

Willis-Knighton Medical Center has also agreed not to use 16 specified digital analytics tools on its website and patient portal for a period of two years from the date of final approval of the settlement. The list includes Google DoubleClick, Google Ads, Meta, Amazon, TikTok, Pinterest, and TheTradeDesk.

The deadline for objection to and exclusion from the settlement is November 18, 2025. Claims must be submitted by December 18, 2025, and the final approval hearing has been scheduled for January 22, 2026.

The post Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook).

The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals.

Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley Hospital Medical Center has agreed to establish a $600,000 settlement fund to cover attorneys’ fees, administrative expenses, service awards, and benefits to the class members.

After all fees and expenses have been deducted from the settlement fund, the remainder will be paid to class members as a pro rata cash payment. Class members are California residents who visited the Pomona Valley Hospital Medical Center website and logged into the patient portal between January 1, 2019, and December 31, 2022.

The deadline for objection to and exclusion from the settlement is December 9, 2025, and the final fairness hearing has been scheduled for January 5, 2026. Class members will be contacted directly about the settlement and may choose how they receive their cash payment (check, PayPal, Venmo, etc.), or may do so via the settlement website: https://pvhmcsettlement.com/

The post Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit appeared first on The HIPAA Journal.

Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.

Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.

A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.

The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.

The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.

The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.

The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.

Another former employee of DigitalMint has been accused of involvement with the ALPHV/Blackcat ransomware group while working as a ransomware negotiator for the Chicago-based cyber threat intelligence and incident response company.

As previously reported below, the U.S. Department of Justice had previously indicted two individuals for their role in ALPHV/BlackCat ransomware attacks – Former DigitalMint employee Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg. Both have entered guilty pleas. Angelo John Martino III, 41, of Land O’ Lakes in South Florida, was included in the October 2025 indictment of Martin and Goldberg but was only identified as co-conspirator 1. His indictment has recently been unsealed.

According to the indictment, while working as ransomware negotiators for legitimate firms, all three defendants are alleged to have also been working with the ALPHV/Blackcat ransomware group. Martino is alleged to have conspired with defendants Martin and Goldberg and other unknown individuals to conduct ransomware attacks on U.S companies, including a non-profit, medical company, a medical device manufacturer, a California doctor’s office, and a pharmaceutical company.

According to the indictment, Martino provided information gained from his work as a ransomware negotiator to ALPHV/BlackCat co-conspirators to maximize ransom payments. The trio also engaged in attacks as ALPHV/BlackCat affiliates, deploying ransomware.

Across the 10 attacks included in the indictment, six resulted in ransom payments totaling more than $75.25 million, including two payments of more than $25 million. As affiliates, Martino and his co-conspirators are alleged to have paid 20% of the ransom payments to the administrators of the ransomware group.

According to the indictment, five of the companies that Martino was involved with attacking engaged DigitalMint to assist with ransom negotiations. DigitalMint assigned each of those negotiations to Martino. Martino was therefore negotiating on behalf of the companies he had attacked and the ransomware group he was working with. All five of the victims ended up paying the ransoms.

DigitalMint was unaware that Martino was working with the ALPHV/BlackCat ransomware group, and suspended Martino’s access to its systems when notified by the Department of Justice of the investigation and fired him the following day. Prior to being notified by the Department of Justice, DigitalMint was unaware that Martino and Martin were involved with the ALPHV/BlackCat ransomware group. DigitalMint has not been accused of any wrongdoing.

“We strongly condemn these former employees’ criminal behavior, which violated our values, ethical standards and the law,” said DigitalMint CEO Jonathan Solomon in a statement. “DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges. While no organization can completely eliminate insider risk, we take incidents like this extremely seriously and have strengthened safeguards and internal controls to further reduce the likelihood of similar conduct.”

Martino has been charged with conspiracy to interfere with commerce by extortion and faces up to 20 years in jail. Assets have been seized, including properties and vehicles, along with almost $9.2 million in cryptocurrency. Martino is scheduled to enter a plea on March 19, 2026, and has been released on a $500,000 bond. He has been prohibited from leaving the Southern District of Florida and is not permitted to work in the cybersecurity industry.

November 4, 2025: U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post Third Ransomware Negotiator Charged Over Involvement with BlackCat Ransomware Group appeared first on The HIPAA Journal.

Therapeutic Health Services, a Seattle, WA-based provider of opioid addiction treatment, mental health counseling, and rehabilitation for alcohol and drug addiction recovery, has agreed to settle class action litigation over a February 2024 hacking incident that exposed the protected health information of more than 14,000 patients.

The incident was detected on February 26, 2024, and the investigation confirmed that patients’ names, dates of birth, Social Security numbers, and health information were compromised in the incident. The Hunters International threat group claimed responsibility for the cyberattack. Four class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kersey, et al., v. Therapeutic Health Services – in the Superior Court of the State of Washington, King County.

The lawsuit alleged that Therapeutic Health Services failed to implement appropriate safeguards to protect sensitive data on its network, resulting in the exposure and theft of the sensitive information of current and former patients and employees. Therapeutic Health Services maintains that there was no wrongdoing and denies all allegations and all liability, does not believe that the class members suffered any damage, nor that the action satisfies the requirements to be certified or tried as a class action lawsuit. After determining that the litigation would likely be protracted and expensive, the decision was taken to settle the litigation. The plaintiffs believe that the settlement that has been negotiated is fair and in the best interests of all class members.

Under the terms of the settlement, Therapeutic Health Services has agreed to establish a $790,000 settlement fund to cover attorneys’ fees and expenses, service awards, settlement administration costs, and class members’ claims. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may be submitted for a cash payment of up to $100, which may be adjusted pro rata depending on the number of valid claims received. All class members may also claim three years of three-bureau credit monitoring services.

Claims must be submitted by January 13, 2026, and the final fairness hearing has been scheduled for January 23, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 15, 2025.  Further information can be found on the settlement website, https://www.thsdatasettlement.com/

The post Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.

A $19,375,000 settlement has been proposed to resolve a consolidated class action lawsuit against the electronic health records and practice management software provider NextGen Healthcare over a 2023 ransomware attack that affected more than one million individuals.

The attack was detected on April 28, 2023, and the first complaint was filed on May 5, 2023, in the United States District Court for the Northern District of Georgia, Atlanta Division. Thereafter, more than a dozen further lawsuits were filed, which were consolidated into a single action in the same court. The consolidated lawsuit alleged negligence and negligence per se for failing to implement appropriate safeguards to protect sensitive patient information, invasion of privacy/intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, unjust enrichment, and breach notification failures, in violation of federal and state laws, including the Official Code of Georgia Annotated (O.C.G.A).

NextGen Healthcare denies all claims and contentions in the lawsuit and maintains there was no wrongdoing or liability. NextGen Healthcare moved to have the lawsuit dismissed; however, the lawsuit was allowed to proceed (see below). Following mediation on June 25, 2025, and August 6, 2025, and after all parties considered the expense and length of proceedings to continue with the litigation, and the risks associated with doing so, the decision was taken to settle the lawsuit.

Under the terms of the settlement, NextGen Healthcare has agreed to establish a $19,375,000 settlement fund to cover attorneys’ fees and expenses, notice costs, settlement administration costs, service awards, and benefits for class members. Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $7,500 per class member and up to $250 for lost time (a maximum of 10 hours at $25 per hour). Alternatively, class members may choose to receive a cash payment, which is expected to be $50, but will be subject to a pro rata adjustment. Class members who were residents of California at the time of the data breach may claim an alternative cash payment of $150.

In addition to the above benefits, class members may also claim three years of credit monitoring and identity theft protection services, and should there be any funds remaining in the settlement fund, they will be used to extend the identity and credit monitoring services or will be distributed cy pres to a non-profit cybersecurity organization. The settlement now awaits approval from the court.

August 6, 2024: NextGen Class Action Data Breach Lawsuit Allowed to Proceed

A class action lawsuit against the electronic health record (EHR) and practice management software provider, NextGen Healthcare, over a 2023 ransomware attack has been allowed to proceed.

Hackers had access to NextGen’s computer systems from March 29, 2023, to April 14, 2023, during which time they exfiltrated a huge volume of sensitive data from the NextGen Office system. The data breach was reported to the Maine Attorney General on May 5, 2023, as affecting 1,049,375 individuals. The ransomware attack was the second to be experienced by NextGen in just a few months, with an earlier Blackcat ransomware attack occurring in January 2023.

It is not uncommon for multiple ransomware attacks to be experienced. A recent report from the cybersecurity firm Semperis suggests that three-quarters of companies that have experienced a ransomware attack were attacked multiple times. Threat actors often deploy malware in their attacks, which allows them to conduct further attacks weeks or months later.

More than a dozen lawsuits were filed against NextGen following the data breach. The plaintiffs sought compensatory, statutory, and punitive damages, additional credit monitoring services, and injunctive relief, requiring NextGen to implement additional security measures to ensure the privacy and security of the data it stores. The lawsuits were consolidated into a single lawsuit – Damon X. Miller v. NextGen Healthcare Inc. – in the U.S. District Court for the Northern District of Georgia.

The consolidated lawsuit alleges NextGen could have prevented the data breach if it had implemented reasonable and appropriate security measures, yet failed to do so, even though it had experienced a ransomware attack in January 2023. The consolidated lawsuit asserted 25 claims, including negligence, unjust enrichment, intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, and violations of multiple state laws in California, Georgia, Illinois, Iowa, Maine, New Jersey, New Mexico, New York, and Pennsylvania.

NextGen attempted to have 22 of the 25 claims dismissed for failure to state a claim. Most of the claims were dismissed in their entirety by U.S. District Judge Thomas Thrash; however, the motion to dismiss five counts was denied, which gives the plaintiffs the green light to proceed with the action. The motion to dismiss the counts of breach of fiduciary duty, litigation expenses, violation of the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), and violation of the California Consumer Privacy Act (CCPA) was denied in entirety, and the motion to dismiss the count of violation of the California Unfair Competition Law (UCL) was denied with respect to one of the plaintiffs and a putative subclass.

NextGen had argued that, as a service provider to healthcare organizations, it did not owe a fiduciary duty to the plaintiffs, as it had no direct relationship with them and the mere receipt and storage of confidential data does not create a fiduciary relationship. Judge Thrash disagreed, as in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law. In his ruling, Judge Thrash did not state whether the circumstances in the case rose to that level, as that was not a question that could be resolved through a motion to dismiss.

Judge Thrash ruled that the plaintiffs had plausibly stated a claim for litigation expenses premised on bad faith, and the motion to dismiss the GUDTPA claim was denied as NextGen’s argument was dependent on “a strained reading of an unadopted Report and Recommendation.” The CCPA claim was allowed to proceed, as while NextGen argued that it is a service provider under CCPA, the plaintiffs stated otherwise, and Judge Thrash accepted those allegations as true, at least at this stage of the litigation. The motion to dismiss the California Unfair Competition Law claim was denied, as the defendant was alleged to have accepted payment to securely keep data and failed to take reasonable security measures, and that is sufficient to state a claim for restitution under UCL.

The post $19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.