Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information.

The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and health insurance information had been exposed and potentially stolen.

Two class action lawsuits were filed in response to the breach, which were consolidated into a single complaint – In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation – in the Court of Common Pleas for Hamilton County, Ohio. The consolidated complaint alleged the defendant had failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all claims of wrongdoing and liability.

All parties attended mediation, and while a settlement was not agreed upon, following months of continued negotiations, a settlement in principle was agreed to resolve the litigation that was acceptable to all parties. The settlement agreement has recently received preliminary approval from the court. Under the terms of the settlement, GCBHS has agreed to pay a maximum of $850,000 to resolve the litigation, inclusive of attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. There are approximately 61,850 individuals in the settlement class.

Class members may submit a claim for reimbursement of documented, unreimbursed losses up to a maximum of $5,000 per class member. A pro rata cash payment can be claimed, which is expected to be in the range of $60 to $120. Additionally, all class members are entitled to claim a one-year subscription to the three-bureau CyEx Medical Shield service. The deadline for objection to and exclusion from the settlement is November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final approval hearing has been scheduled for January 14, 2026.

The post Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Fraser Child and Family Center has agreed to pay $750,000 to settle class action litigation over a 2024 data breach. Fraser Child and Family Center is a Minnesota-based provider of autism, mental health, behavioral health, and disability services. Between May 30, 2024, and June 2, 2024, an unauthorized third party was able to access parts of its IT environment that contained the protected health information of approximately 67,000 individuals. Information potentially stolen in the incident included names, addresses, dates of birth, Social Security numbers, and medical information. The affected individuals were notified about the breach in September 2024.

Class action lawsuits were filed in response to the data breach by four plaintiffs, individually and on behalf of their minor children and similarly situated individuals. Since the lawsuits had overlapping claims and were based on the same facts, they were consolidated into a single lawsuit – In re: Fraser Child and Family Center – which was filed in the District Court for Hennepin County, Minnesota.

The lawsuit asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy – intrusion upon seclusion, unjust enrichment, and a failure to provide adequate breach notifications. Fraser Child and Family Center denies wrongdoing and liability and filed a motion to dismiss. Shortly thereafter, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has now been finalized and has received preliminary approval from the court.

Following the data breach, Fraser Child and Family Center implemented additional safeguards to further protect information stored on its network. In addition, a $750,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.

All class members are entitled to claim two years of credit monitoring services, which can be either the CyEx Identity Defense Complete package for adults or the CyEx Minor Defense package for minors. In addition, a claim may be submitted for reimbursement of documented, out-of-pocket losses due to the data breach up to a maximum of $2,500 per class member. In lieu of a claim for reimbursement of losses, class members may submit a claim for a cash payment. Cash payments will be paid after all the above costs and expenses have been paid, and the funds will be divided equally between class members who submit a claim for a cash payment.

Class members wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for November 20, 2025.

The post Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement appeared first on The HIPAA Journal.

Akumin, a Florida-based provider of outpatient radiology and oncology services with locations in more than 20 U.S. states, has agreed to settle a class action lawsuit stemming from an October 2023 cybersecurity incident.

Akumin identified suspicious network activity on October 11, 2023, and confirmed that a threat actor accessed its network on October 11, 2023, and used ransomware to encrypt files.  The files potentially accessed and/or copied by the threat actor included patient and employee information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, Medicare/Medicaid numbers, financial account information, health information, occupational health information, medical images, biometric information, billing and claims information, health insurance information, electronic signatures and other sensitive data.

The security incident was announced by Akumin on its website on October 12, 2023, and the data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 7,127 individuals.  Notification letters were sent to those individuals on December 29, 2023, and around a year later, on December 23, 2024, notification letters were mailed to the further affected individuals.

Several class action lawsuits were filed against Akumin over the data breach, which were consolidated into a single lawsuit – Gina Letizio, et al. v. Akumin Operating Corp. – in the Circuit Court of the 17th Judicial Court in and for Broward County, Florida. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment, and declaratory judgment. Akumin denies any wrongdoing and maintains there is no liability but chose to settle the lawsuit to avoid the litigation costs and expenses, distractions, burden, and disruption to its business operations associated with continuing with the litigation. The plaintiffs believe their claims are valid but agreed to settle the lawsuit for similar reasons.

Under the terms of the settlement, Akumin has agreed to establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for each of the named plaintiffs. After those costs have been paid, the remaining funds will be used to pay benefits to the class members. All class members are entitled to submit a claim for a cash payment to reimburse them for documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member. In addition to the cash payment, class members may also claim one year of free medical data monitoring services.

The deadline for objection to and exclusion from the settlement is November 30, 2025, and claims must be submitted by the same date. The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for December 15, 2025. Further information can be found on the settlement website, https://akumindataincidentsettlement.com/

The post Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit appeared first on The HIPAA Journal.

Eastern Radiologists in North Carolina has agreed to pay $3.25 million to settle a class action lawsuit over a 2023 data breach that was reported to the HHS’ Office for Civil Rights as involving the protected health information of 886,746 patients. The Eastern Radiologists data breach that prompted the class action lawsuit was detected on November 24, 2023. The investigation confirmed that a threat actor had access to its network from November 20, 2023, to November 24, 2023, and copied files containing patient information. Data compromised in the incident included names, contact information, Social Security numbers, driver’s license numbers, financial account numbers, insurance information, procedure information, diagnoses, and imaging results.

Several class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, they were consolidated into a single lawsuit, Powers et al. v. Eastern Radiologists, Inc., in the General Court of Justice, Superior Court Division, in Pitt County, North Carolina. The consolidated class action complaint alleges that Eastern Radiologists failed to implement reasonable and appropriate cybersecurity measures, did not adhere to FTC guidelines on cybersecurity or follow industry standards, and that its conduct violated the Health Insurance Portability and Accountability (HIPAA). In addition to negligence, the lawsuit asserted claims of negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and violations of North Carolina’s Unfair and Deceptive Trade Practices Act.

Eastern Radiologists deny all claims and contentions in the lawsuit and maintain that there was wrongdoing. After considering the risks associated with the litigation and the costs of continuing with the lawsuit, all parties agreed to settle the litigation. Under the terms of the settlement, Eastern Radiologists will establish a $3,250,000 settlement fund out of which attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs will be deducted. The remainder of the fund will be used to pay benefits to the class members.

All class members may claim one year of medical account monitoring services and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. The cash payments for losses have been capped at $200,000 and will be paid pro rata should that total be reached. Alternatively, class members may claim a cash payment, which may be subject to a pro rata increase or decrease.

The deadline for exclusion and objection is October 28, 2025. Claims must be submitted by December 1, 2025, and the final approval hearing has been scheduled for December 15, 2025. Claims will be paid between 30 and 60 days after the final approval hearing.

The post Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement appeared first on The HIPAA Journal.

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties.

Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements.

On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used tracking tools on the hospital website which collected and transmitted protected health information to Meta and other third parties without the knowledge or consent of website users. The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, invasion of privacy-disclosure of private facts, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Washington Consumer Protection Act and the Washington Privacy Act.

The defendant denies any wrongdoing or liability and believes it would prevail at summary judgment; however, after taking into account the costs, time, and distraction of continuing with the litigation and the uncertainty and risks associated with any litigation, it agreed to engage in settlement discussions. A settlement has now been agreed that is acceptable to all parties, and the settlement has received preliminary approval from the court. Under the terms of the settlement, Skagit Regional Health has agreed to cover the cost of attorneys’ fees and expenses, settlement administration costs, class representative awards, and a cash payment of $20 for all class members.

The class consists of individuals who were patients of Skagit Regional Hospital who navigated to, signed up for, logged in, or used its patient portal between May 1, 2021, and September 5, 2025. Individuals wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims for cash payments must be submitted by November 3, 2025, and the final fairness hearing has been scheduled for November 21, 2025. Further information can be found on the settlement website: https://www.sutherpixelsettlement.com/

The post Skagit Regional Health Settles Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.