Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation

Posted by Steve Alder

Therapeutic Health Services, a Seattle, WA-based provider of opioid addiction treatment, mental health counseling, and rehabilitation for alcohol and drug addiction recovery, has agreed to settle class action litigation over a February 2024 hacking incident that exposed the protected health information of more than 14,000 patients.

The incident was detected on February 26, 2024, and the investigation confirmed that patients’ names, dates of birth, Social Security numbers, and health information were compromised in the incident. The Hunters International threat group claimed responsibility for the cyberattack. Four class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kersey, et al., v. Therapeutic Health Services – in the Superior Court of the State of Washington, King County.

The lawsuit alleged that Therapeutic Health Services failed to implement appropriate safeguards to protect sensitive data on its network, resulting in the exposure and theft of the sensitive information of current and former patients and employees. Therapeutic Health Services maintains that there was no wrongdoing and denies all allegations and all liability, does not believe that the class members suffered any damage, nor that the action satisfies the requirements to be certified or tried as a class action lawsuit. After determining that the litigation would likely be protracted and expensive, the decision was taken to settle the litigation. The plaintiffs believe that the settlement that has been negotiated is fair and in the best interests of all class members.

Under the terms of the settlement, Therapeutic Health Services has agreed to establish a $790,000 settlement fund to cover attorneys’ fees and expenses, service awards, settlement administration costs, and class members’ claims. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may be submitted for a cash payment of up to $100, which may be adjusted pro rata depending on the number of valid claims received. All class members may also claim three years of three-bureau credit monitoring services.

Claims must be submitted by January 13, 2026, and the final fairness hearing has been scheduled for January 23, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 15, 2025.  Further information can be found on the settlement website, https://www.thsdatasettlement.com/

The post Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.

OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications

Posted by Steve Alder

OB-GYN Associates in Nevada and Beverly Hills Oncology Medical Group in California have recently started notifying patients affected by hacking incidents.

OB-GYN Associates, Nevada

OB-GYN Associates, a women’s health clinic in Reno, Nevada, has recently mailed notification letters to 62,238 individuals warning them that some of their protected health information has been exposed in a recent security incident. On or around August 7, 2025, suspicious activity was identified within its IT environment. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that there had been unauthorized access to parts of its network where patient data was stored.

The review of the affected data was completed on September 29, 2025. While no evidence of data misuse has been identified, patients have been informed that their first and last names, Social Security numbers, driver’s license numbers, and medical information have been exposed and may have been stolen. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit reporting, and credit score services. Data security policies and procedures have been reviewed and updated, network security protections have been upgraded, and changes have been made to how data is stored and managed to protect against similar incidents in the future.

Beverly Hills Oncology Medical Group

Beverly Hills Oncology Medical Group in California has notified certain patients about a security incident in February that may have resulted in the theft of patient information.  According to the breach notices provided to the Maine and California Attorneys General, unauthorized network access was identified and blocked on February 11, 2025.

An investigation was launched, with assistance provided by third-party cybersecurity experts, who confirmed unauthorized access to its network between February 7 and February 11, 2025.  The exposed files have been reviewed, and on October 13, 2025, Beverly Hills Oncology Medical Group confirmed that the exposed information included names, Social Security numbers, driver’s license numbers/other government identification numbers, financial account information, credit/debit card information, health insurance policy information, diagnoses, treatment information, prescriptions, and/or other clinical information.

Beverly Hills Oncology Medical Group said that, at the time of issuing notification letters in October, no evidence had been found to indicate any misuse of the exposed data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications appeared first on The HIPAA Journal.