HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.

HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.

Settlements have been reached with two healthcare entities to resolve allegations that they used pixels and other tracking tools on their websites, which disclosed sensitive data to third parties without the knowledge or consent of website users.

Tracking tools such as Meta Pixel and Google Analytics code are used on websites to track user behavior, such as the pages visited, actions taken on web pages, time spent on the site, and other information. These tools transmit the collected information to third parties along with unique identifiers. Website owners can use the information collected by these tools to improve their websites, and the collected data can be used for advertising purposes. For instance, if a web user visited a page about stopping smoking, they could be targeted with adverts for smoking cessation products on other websites.

Aspen Dental Management Settlement – $18.5 Million

Aspen Dental Management, a Chicago, IL-based dental support organization serving approximately 1,100 Aspen Dental offices across the United States, was sued over its use of tracking tools that transmitted web user data to Meta (Facebook) and Google without users’ knowledge or consent between 2022 and 2025.

Several lawsuits were filed in response to the impermissible disclosures, which were consolidated into a single complaint, Donnelly, et al. v. Aspen Dental Management, Inc., in the United States District Court for the Northern District of Illinois. The lawsuit alleged negligence and violations of the Electronic Communications Privacy Act, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act, and the Pennsylvania Wiretap Act.

Aspen Dental Management maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the decision was made to settle the lawsuit as the litigation was likely to be protracted and expensive, with an uncertain outcome. Class counsel and the class representatives believe the settlement is in the best interests of the class members.

Under the terms of the settlement, Aspen Dental Management will establish settlement funds totaling approximately $18.5 million to cover attorneys’ fees, expenses, settlement administration costs, class representative awards, and claims from class members.  There are two subclasses in the settlement. Group 1 consists of individuals who booked an appointment via the website between February 20, 2022, and June 1, 2023, and Group 2 consists of individuals who booked an appointment on the website between June 2, 2023, and January 1, 2025.

There are approximately 621,370 individuals in Group 1 and 1,625,000 individuals in Group 2. Aspen Dental Management will establish a fund of $2,796,169.50 for Group 1 and a fund of $15,673,220 for Group 2. Class members in Group 1 will receive a pro rata cash payment once attorneys’ fees, expenses, service awards, and settlement administration costs have been deducted from the settlement fund. Class members in Group 2 will receive a cash payment of $15, subject to a pro rata reduction depending on the number of claims received.

The deadline for exclusion from the settlement, opting out, and submitting a claim is September 15, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 20, 2025.

Southern Mono Healthcare District (Mammoth Hospital)

Southern Mono Healthcare District, doing business as Mammoth Hospital, was also sued over the use of pixels on its website. The lawsuit, Doe v. Southern Mono Healthcare District, was filed on August 9, 2023, in the Mono County Court in Mono County, California. The lawsuit survived a motion to dismiss and was moved to the Superior Court of California, Mono County. The lawsuit claimed the use of the tracking tools violated California privacy laws.

The defendants maintain there is no liability and no wrongdoing, but chose to settle the lawsuit to avoid the costs and risks of trial. The settlement covers Mammoth Hospital patients who used the Mammoth Web Properties to access the “Your Medical Record” section on the website (mammothhospital.org) between August 9, 2022, through August 9, 2023.

Class members can claim two benefits. All class members may claim a 12-month membership to CyEx Privacy Shield Pro, which includes dark web monitoring for personal information, plus a one-time cash payment of $20. The deadline for opting out and objecting to the settlement is September 15, 2025, and the deadline for submitting a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for November 6, 2025.

There has been a flurry of settlements in recent weeks to resolve pixel-related lawsuits against healthcare providers, including MarinHealth, University of Rochester Medical Center, BJC Healthcare, Henry Ford Health, and Eisenhower Health.

The post Healthcare Organizations Settle Website Tracking Class Action Lawsuits appeared first on The HIPAA Journal.

Bone & Joint Clinic S.C. has agreed to pay $575,000 to settle a class action lawsuit stemming from a January 2023 security incident that affected 105,094 current and former patients and employees.

Bone & Joint is an orthopedic and pain management clinical practice in Northcentral Wisconsin. On January 16, 2025, a security incident was identified that caused network disruption. An unauthorized third party accessed its network, used ransomware to encrypt files, and may have obtained protected health information such as names, contact information, dates of birth, Social Security numbers, health insurance information, diagnoses, treatment information, and other sensitive data.

Lawsuits were filed by four Bone & Joint Clinic patients, which were consolidated into a single complaint – Keith Tesky, et al. vs. Bone & Joint Clinic, S.C., – in the U.S. District Court for the Western District of Wisconsin. The lawsuits claimed that the practice failed to implement reasonable and appropriate safeguards to protect sensitive employee and patient data. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, invasion of privacy, unjust enrichment, unfair and deceptive business practices, and a violation of Wisconsin law, which prohibits the unauthorized release of healthcare information.

Bone & Joint Clinic denies any wrongdoing and maintains there is no liability; however, a settlement was agreed to avoid the burden and expense of litigation. Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach up to a maximum of $5,000 per class member.

Class members may also submit a claim for a pro rata cash payment, which is expected to be $75, but may be higher or lower depending on the number of valid claims received. The cash payments will be paid from the remainder of the settlement after attorneys’ fees (up to $191,475), attorneys’ expenses (up to $20,000), service awards (up to $2,000 for each of the four named plaintiffs), and settlement administration costs have been deducted.

The deadline for exclusion from and objection to the settlement is September 15, 2025. Claims must be submitted by October 15, 2025, and the final fairness hearing has been scheduled for January 7, 2025.

The post Bone & Joint Clinic Settles Ransomware Class Action Lawsuit for $575,000 appeared first on The HIPAA Journal.

A $2 million settlement has received preliminary approval from the court to resolve a class action lawsuit against Southwest Louisiana Hospital Association, which does business as Lake Charles Memorial Health, that stemmed from a 2022 data breach that affected 269,752 patients.

The Louisiana health system identified suspicious activity within its computer network on October 21, 2022, and it was later confirmed that an unauthorized third party had access to its network between October 20, 2022, and October 21, 2022. During that time, files were exfiltrated from the network, including names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, payment information, limited clinical information, and in some cases, Social Security numbers. The affected individuals were notified on December 23, 2025.

The first lawsuit stemming from the data breach was filed on January 5, 2023, in the Calcasieu Parish District Court in Louisiana. Further lawsuits were filed, which were consolidated into a single complaint as they were materially and substantively identical and had overlapping claims. The consolidated complaint – Salinas et al v. Southwest Louisiana Hospital Association dba Lake Charles Memorial Health System – alleged claims of negligence, breach of fiduciary duty, unjust enrichment, breach of express contract, breach of implied contract, invasion of privacy, and breach of confidence.

Lake Charles Memorial Health disagrees with the claims made in the action and maintains that there was no wrongdoing and is no liability. On the second attempt at mediation, an agreement was reached in principle to resolve the litigation. The class representatives believe the settlement is best for all class members due to the costs, risks, and uncertainty associated with trial, and the nature of the defenses raised by the defendant.

Under the terms of the settlement, all class members may claim two years of medical data monitoring and identity theft protection services. In addition, claims may be submitted for one of two benefits. A claim may be submitted for reimbursement of out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member, which can include up to three hours of lost time at $25 per hour.

Alternatively, a claim may be submitted for a cash payment, which will be paid pro rata after attorneys’ fees (up to $666,600), legal expenses, settlement administration costs ($50,000), class representative awards (11 x $1,500), claims, and medical data monitoring and identity theft protection costs have been deducted.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025. The deadline for opting out of the settlement is September 5, 2025, and claims must be submitted by September 5, 2025.

The post Lake Charles Memorial Health Agrees to $2 Million Data Breach Settlement appeared first on The HIPAA Journal.

BJC Health System, doing business as BJC HealthCare, is one of the latest healthcare organizations to settle litigation stemming from the use of website tracking tools. BJC HealthCare has agreed to pay up to $9.25 million to resolve the litigation and provide cash payments to the class members.

BJC HealthCare is a non-profit healthcare organization based in St. Louis, Missouri, which runs the Washington University-affiliated hospitals Barnes–Jewish Hospital and St. Louis Children’s Hospital. According to the lawsuit – John Doe et al v. BJC Health System – BJC HealthCare maintained various web properties, including the websites www.bjc.org and www.barnesjewish.org, through which patients could communicate with BJC HealthCare.

The plaintiffs alleged that tracking tools were added to the websites that collected web user data, including personally identifiable information, and that sensitive information was transmitted to companies such as Facebook (Meta), Google, SiteScout, Invoca, and TradeDesk, without the knowledge or authorization of web users. BJC HealthCare maintains there was no wrongdoing and is no liability; however, it agreed to settle the litigation. All parties believe that a settlement is in the best interests of all parties due to the costs, risks, and uncertainty associated with continuing the lawsuit.

The settlement covers all users who used the BJC HealthCare MyChart patient portal between June 2017 and August 2022. Under the terms of the settlement, BJC Healthcare will initially establish a $5.5 million settlement fund to cover attorneys’ fees, legal expenses, administration costs, class representative awards, and cash payments to class members, which are expected to be $35 per class member. Should the fund not be sufficient to cover claims, a further $3.75 million will be added to the settlement fund. If the $9.25 million settlement fund is not sufficient, claims will be subject to a pro rata reduction.

Attorneys’ fees will be up to $3,000,000, settlement administration costs are expected to cost up to $200,000, and service awards to the class representatives will be $15,000 in total. The deadline for claiming a cash payment is October 8, 2025, and the final fairness hearing is scheduled for October 16, 2025. Individuals wishing to opt out of or exclude themselves from the settlement must do so by September 8, 2025.

Several class action lawsuits have recently been settled over the use of these tracking tools, including lawsuits against Mount Nittany Health, Henry Ford Health, MarinHealth, and Eisenhower Medical Center. More settlements are expected to be announced in the coming weeks.

The post BJC HealthCare Settles Website Tracking Lawsuit for up to $9.25 Million appeared first on The HIPAA Journal.

MedStar Health has agreed to settle class action litigation stemming from a 2023 data breach that affected more than 183,000 individuals. MedStar Health will create a $1.35 million settlement fund to cover attorneys’ fees, legal costs and expenses, and claims from class members for reimbursement of out-of-pocket expenses fairly traceable to the data breach.

MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., provides medical services through 120 entities, including 10 hospitals. Between January 25, 2023, and October 18, 2023, an unauthorized third party gained access to the email accounts of three employees and accessed or obtained the protected health information of 183,079 patients. The individuals were notified about the data breach on May 4, 2024.

Shortly after mailing notification letters, a class action lawsuit was filed by Gwendolyn Riddick individually and on behalf of similarly situated individuals. A further five class action lawsuits were filed by other MedStar Health patients. Since all six lawsuits were materially and substantively identical and had overlapping claims, they were consolidated into a single action, In re MedStar Health Data Security Incident, in the U.S. District Court for the District of Maryland. The plaintiffs alleged that MedStar Health failed to implement reasonable and appropriate safeguards to protect the sensitive data it stored on its network.

MedStar Health denies any wrongdoing and disagrees with the claims and contentions in the lawsuit; however, MedStar agreed to a settlement to avoid the cost and risk of a trial and any possible appeals. The $1,350,000 settlement fund will be used to pay attorneys’ fees up to $450,000, settlement administration costs up to $250,000, class representative awards of $2,500 for each of the six named plaintiffs, attorneys’ expenses, and medical data monitoring costs. The remainder of the settlement fund will be used to cover claims from class members, who are U.S. residents who are current or former MedStar patients or employees who were notified that their data was exposed between January 25, 2023, and October 18, 2023.

Under the terms of the settlement, class members may claim one of two cash payments plus a one-year membership to a medical and healthcare data monitoring service. Class members may submit a claim for reimbursement of documented losses up to a maximum of $5,000 per class member, or they may alternatively claim a cash payment, which is estimated to be $100. The cash payments may be adjusted based on the number of valid claims received.

The deadline for objecting to and opting out of the settlement is September 14, 2025. The deadline for filing a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 4, 2025.

The post MedStar Health Agrees to $1.35 Million Settlement to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.

Robeson Health Care Corporation, a Pembroke, North Carolina-based integrated health system, has agreed to settle a class action lawsuit that alleged hackers compromised its network in a February 2023 cyberattack, exposing the protected health information of 62,627 individuals.

Hackers gained access to its network on or around February 21, 2023, and potentially accessed or acquired protected health information such as names, dates of birth, Social Security numbers, diagnosis and treatment information, medical record numbers, Medicare/Medicaid numbers, prescription information, health insurance information, and other sensitive data. The affected individuals started to be notified about the data breach on April 21, 2023.

In early to mid-May 2023, three lawsuits were filed against Robeson Health Care Corp. over the data breach by plaintiffs Julianna McKenzie, Judith Hammonds, and Ronnie McGriff in the United States District Court for the Eastern District of North Carolina. The plaintiffs asserted several claims, including negligence for failing to implement reasonable and appropriate safeguards to secure its network and protect patient data from unauthorized access. Robeson Health Care Corp. denies all claims and contentions in the lawsuit, including charges of wrongdoing and liability. Since continuing with the action would likely be expensive and protracted, all parties agreed to negotiate an appropriate settlement. That settlement has been determined to be fair by all parties and has received preliminary approval from the Superior Court of the State of North Carolina for the County of Robeson.

Under the terms of the settlement, Robeson Health Care Corp. has agreed to pay for benefits for class members, which will be capped at $750,000. Class members may submit a claim for up to $2,500 for reimbursement of documented, unreimbursed out-of-pocket losses that resulted from the data breach. Attorneys’ fees and costs have been capped at $250,000, and each of the three plaintiffs will receive a service award of $1,500.

Alternatively, class members may choose to receive a cash payment of $50, which will be paid pro rata after claims have been paid. The cash payments may be higher or lower depending on the number of claims received. In addition, class members can claim two years of single-bureau credit monitoring services. The deadline for exclusion from and objection to the settlement is June 23, 2025. The final approval hearing has been scheduled for July 21, 2025, and the deadline for submitting claims is August 6, 2025. Further information on the settlement can be found on the settlement website:  https://www.rhccdataincidentsettlement.com/

The post Robeson Health Care Corp. Agrees to $750K Data Breach Settlement appeared first on The HIPAA Journal.

Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.

Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients.  Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.

On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.

The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court.  Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.

Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.

The post Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation appeared first on The HIPAA Journal.