HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.

Settlements have been reached with two healthcare entities to resolve allegations that they used pixels and other tracking tools on their websites, which disclosed sensitive data to third parties without the knowledge or consent of website users.

Tracking tools such as Meta Pixel and Google Analytics code are used on websites to track user behavior, such as the pages visited, actions taken on web pages, time spent on the site, and other information. These tools transmit the collected information to third parties along with unique identifiers. Website owners can use the information collected by these tools to improve their websites, and the collected data can be used for advertising purposes. For instance, if a web user visited a page about stopping smoking, they could be targeted with adverts for smoking cessation products on other websites.

Aspen Dental Management Settlement – $18.5 Million

Aspen Dental Management, a Chicago, IL-based dental support organization serving approximately 1,100 Aspen Dental offices across the United States, was sued over its use of tracking tools that transmitted web user data to Meta (Facebook) and Google without users’ knowledge or consent between 2022 and 2025.

Several lawsuits were filed in response to the impermissible disclosures, which were consolidated into a single complaint, Donnelly, et al. v. Aspen Dental Management, Inc., in the United States District Court for the Northern District of Illinois. The lawsuit alleged negligence and violations of the Electronic Communications Privacy Act, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act, and the Pennsylvania Wiretap Act.

Aspen Dental Management maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the decision was made to settle the lawsuit as the litigation was likely to be protracted and expensive, with an uncertain outcome. Class counsel and the class representatives believe the settlement is in the best interests of the class members.

Under the terms of the settlement, Aspen Dental Management will establish settlement funds totaling approximately $18.5 million to cover attorneys’ fees, expenses, settlement administration costs, class representative awards, and claims from class members.  There are two subclasses in the settlement. Group 1 consists of individuals who booked an appointment via the website between February 20, 2022, and June 1, 2023, and Group 2 consists of individuals who booked an appointment on the website between June 2, 2023, and January 1, 2025.

There are approximately 621,370 individuals in Group 1 and 1,625,000 individuals in Group 2. Aspen Dental Management will establish a fund of $2,796,169.50 for Group 1 and a fund of $15,673,220 for Group 2. Class members in Group 1 will receive a pro rata cash payment once attorneys’ fees, expenses, service awards, and settlement administration costs have been deducted from the settlement fund. Class members in Group 2 will receive a cash payment of $15, subject to a pro rata reduction depending on the number of claims received.

The deadline for exclusion from the settlement, opting out, and submitting a claim is September 15, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 20, 2025.

Southern Mono Healthcare District (Mammoth Hospital)

Southern Mono Healthcare District, doing business as Mammoth Hospital, was also sued over the use of pixels on its website. The lawsuit, Doe v. Southern Mono Healthcare District, was filed on August 9, 2023, in the Mono County Court in Mono County, California. The lawsuit survived a motion to dismiss and was moved to the Superior Court of California, Mono County. The lawsuit claimed the use of the tracking tools violated California privacy laws.

The defendants maintain there is no liability and no wrongdoing, but chose to settle the lawsuit to avoid the costs and risks of trial. The settlement covers Mammoth Hospital patients who used the Mammoth Web Properties to access the “Your Medical Record” section on the website (mammothhospital.org) between August 9, 2022, through August 9, 2023.

Class members can claim two benefits. All class members may claim a 12-month membership to CyEx Privacy Shield Pro, which includes dark web monitoring for personal information, plus a one-time cash payment of $20. The deadline for opting out and objecting to the settlement is September 15, 2025, and the deadline for submitting a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for November 6, 2025.

There has been a flurry of settlements in recent weeks to resolve pixel-related lawsuits against healthcare providers, including MarinHealth, University of Rochester Medical Center, BJC Healthcare, Henry Ford Health, and Eisenhower Health.

The post Healthcare Organizations Settle Website Tracking Class Action Lawsuits appeared first on The HIPAA Journal.