Morris Hospital & Healthcare Centers has agreed to settle a consolidated class action lawsuit that alleged negligence for failing to prevent an April 2023 data breach that affected 248,943 individuals. Under the terms of the settlement agreement, Morris Hospital will establish a $1,361,571.77 settlement fund to cover attorneys’ fees, legal expenses, and benefits for the class members.

In April 2023, Morris Hospital identified unauthorized access to its network. Hackers had access to the personal and protected health information of current and former patients, employees, and their dependents and beneficiaries.  The Royal ransomware group was behind the attack and posted the stolen data on its data leak site. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois – In re: Morris Hospital Data Breach Litigation. In addition to negligence, the lawsuit asserted claims of negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Morris Hospital denies all allegations of wrongdoing and liability, while the plaintiffs believe the claims have merit. All parties agreed to a settlement, which was viewed as being in the best interests of all parties considering the risks and costs of continuing with the litigation. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 24, 2025. Benefits for class members will be paid after all costs and expenses have been deducted from the settlement fund, which includes up to $453,857.26 for attorneys’ fees, $2,000 service awards for each of the 13 named plaintiffs, and yet to be determined settlement administration costs, and attorneys’ expenses.

All class members may submit a claim for 24 months of comprehensive credit monitoring and identity theft protection services through CyEx Medical Shield Total. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. If a claim for losses is not submitted, class members may instead claim a pro rata cash payment, which is expected to be approximately $100, depending on the number of claims received. Further information can be found on the settlement website: https://www.morrishospitalsettlement.com/

Individuals wishing to object to or be excluded from the settlement have until September 29, 2025, to do so, and all claims must be submitted by October 28, 2025.

The post Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement appeared first on The HIPAA Journal.