Family Health Center; NorthCare Settle Data Breach Lawsuits

Posted by Steve Alder

Settlements have received preliminary approval from the courts to resolve class action data breach litigation against Family Health Center in Michigan and NorthCare in Oklahoma.

Family Health Center Class Action Data Breach Settlement

Family Health Center, a Michigan healthcare provider with three locations in Kalamazoo, has agreed to settle class action data breach litigation stemming from a January 25, 2024, cyberattack that exposed the personal and protected health information of up to 34,926 individuals. The ransomware attack prevented access to certain systems, and the forensic investigation confirmed unauthorized access to names, addresses, health insurance information, Social Security numbers, and medical information. The affected individuals were notified about the data breach on March 24, 2024.

Two lawsuits were filed in response to the data breach – Donald Vickery, et al. v. Family Health Center, Inc., and Janet Walker v. Family Health Center, Inc. – in the Ninth Judicial Circuit in and for Kalamazoo County, Michigan. The two lawsuits had overlapping claims and were consolidated on October 16, 2024. The consolidated lawsuit alleged negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Michigan Data Breach Notification Act and the Michigan Consumer Protection Act.

The parties mediated on January 15, 2024, and reached an agreement in principle to settle the litigation, with no admission of wrongdoing or liability. All parties agreed to the settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to business operations associated with further litigation. Under the terms of the settlement, the defendants will establish a settlement fund of up to $850,000 to cover attorneys’ fees (up to $283,305), attorneys’ expenses (yet to be determined), service awards to the class representatives ($1,500 for each of the six named plaintiffs), settlement administration costs (up to $75,000), credit monitoring costs (yet to be determined) and payments to class members.

Class members may claim one of two cash payments. Cash Payment A can be claimed as reimbursement for documented, unreimbursed out-of-pocket losses incurred as a result of the data breach up to a maximum of $5,000 per class member. Alternatively, a claim can be submitted for Cash Payment B, which is a flat cash payment of $50.00. In addition to either of the cash payments, class members may claim two years of credit monitoring, dark web monitoring, and managed identity recovery services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for October 17, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by September 8, 2025, and claims must be submitted by October 8, 2025. Further information is available on the settlement website: https://www.fhcdatasettlement.com/

NorthCare Class Action Data Breach Settlement

NorthCare, an Oklahoma City-based mental health clinic, has agreed to settle a class action lawsuit stemming from a June 1, 2021, ransomware attack that involved unauthorized access to the protected health information of up to 128,556 individuals. A ransomware group first gained access to its network on or around May 29, 2021, and potentially viewed or obtained information such as names, addresses, dates of birth, medical diagnoses, and Social Security numbers.

A lawsuit – Ana Chavez Maendele, et al. v. North Oklahoma County Mental Health Center, d/b/a NorthCare – was filed in the District Court of Oklahoma County, Oklahoma, alleging NorthCare was negligent by failing to implement reasonable and appropriate safeguards to prevent unauthorized access to its network. NorthCare maintains there was no wrongdoing and no liability, and said it was prepared to vigorously defend the lawsuit; however, a settlement has been agreed to avoid the burden, expense, risk, and uncertainty of continuing to litigate.

Under the terms of the settlement, NorthCare has agreed to provide benefits to class members. Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses and financial losses fairly traceable to the data breach up to a maximum of $2,000 per class member. In addition, a claim may be submitted for reimbursement of time spent remedying the effects of the data breach up to a maximum of $100 (5 x hours at $20 per hour).

Alternatively, a cash payment of $125 can be claimed by individuals who do not claim reimbursement of losses and/or reimbursement of lost time. All class members can claim three years of single-bureau credit monitoring services. Claims and cash payments will be paid after all costs and expenses have been deducted from the settlement fund. Attorneys’ fees will be up to $250,000, and class representative awards will be $2,000 per named plaintiff.

The deadline for exclusion from and objection to the settlement is September 12, 2025. Claims must be submitted by October 11, 2025, and the final fairness hearing has been scheduled for December 15, 2025.

The post Family Health Center; NorthCare Settle Data Breach Lawsuits appeared first on The HIPAA Journal.

Small Nebraska Critical Access Hospital Announces Data Breach

Posted by Steve Alder

Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment.  Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.

Genoa Community Hospital (Genoa Medical Facilities), Nebraska

Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.

The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The incident is not currently shown on the HHS’ Office for Civil Rights (OCR) breach portal, so it is unclear how many individuals have been affected.

Vail Summit Orthopaedics & Neurosurgery

Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.

On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.

Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.

Southern Immediate Care, Alabama

Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.

The post Small Nebraska Critical Access Hospital Announces Data Breach appeared first on The HIPAA Journal.