Medical and Dental Groups Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Dental Group of Amarillo in Texas and Heart South Cardiovascular Group in Alabama have settled class action lawsuits to resolve claims related to hacking incidents and data breaches. The dental group has agreed to pay $1 million, and the cardiovascular group will pay $500,000 to cover fees, expenses, and claims from the class members.

Dental Group of Amarillo Data Breach Settlement

Dental Group of Amarillo, a network of six dental and orthodontic facilities in Amarillo, Dumas, and Canyon in Texas, has agreed to pay $1,000,000 to settle a class action lawsuit filed in response to a 2023 cyberattack and data breach.

A hacking group accessed its network between October 3, 2023, and October 19, 2023, and on January 9, 2024, Dental Group of Amarillo confirmed that patient names, contact information, Social Security numbers, driver’s license numbers, and health insurance information, and medical information (including x-rays, medical histories, dates of service) were exposed and potentially stolen. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 3,821 patients.

A lawsuit was filed in response to the breach – Barham v. Dental Group of Amarillo, LLP – in the District Court for the 251st Judicial District, Potter County, Texas, alleging negligence for failing to safeguard personally identifiable information (PII) and protected health information (PHI). The lawsuit also alleged the response to the incident was inadequate, as it took until January 9, 2024, to confirm the data breach, and the HHS was not notified until March 6, 2024 – 60 days after the breach was confirmed, and 132 days after the cyberattack was first discovered. Individual notification letters were mailed on May 9, 2024, 196 days after the cyberattack was first identified. The delay was alleged to be a violation of Tex. Bus. & Com. Code Ann. § 521.053 and HIPAA.

In addition to negligence, the lawsuit asserted claims of negligence per se (violations of the Texas Identity Theft Enforcement and Protection Act, FTC Act, and HIPAA), breach of fiduciary duty, unjust enrichment, and breach of implied contract. Dental Group of Amarillo maintains there was no wrongdoing, but agreed to a settlement to avoid the costs, risks, disruptions, and uncertainties associated with continuing the litigation. Legal counsel and the lead plaintiffs determined the settlement was best for class members for similar reasons.

Under the terms of the settlement, Dental Group of Amarillo has agreed to establish a $1,000,000 settlement fund to cover attorneys’ fees (up to $333,333), attorneys’ expenses (yet to be determined), service awards to the class representatives ($2,500 each), settlement administration costs (yet to be determined), credit monitoring services, and payments to class members.

There are two potential cash payments on offer. Class members may submit a claim for up to $5,000 for reimbursement of documented, unreimbursed monetary losses or, alternatively, may choose a cash payment, which is expected to be approximately $125 per class member. The cash payments will be paid pro rata and could be higher or lower depending on the number of valid claims received.

In addition to a cash payment, class members may claim three years of three-bureau credit monitoring services, which include dark web monitoring, medical identity monitoring, public record monitoring services, and an identity theft insurance policy. The deadline for opting out of or objecting to the settlement is September 29, 2025, the claim submission deadline is October 13, 2025, and the final approval hearing has been scheduled for October 27, 2025. Further information is available on the settlement website: https://www.dgadatasettlement.com/

Heart South Cardiovascular Group Data Breach Settlement

Heart South Cardiovascular Group, a provider of cardiac and vascular care at three locations in Clanton, Alabaster, and Centreville in central Alabama, has agreed to settle litigation stemming from a May 2024 data breach that affected 20,577 patients. Heart South Cardiovascular Group identified the cyberattack on May 30, 2024, and the forensic investigation confirmed unauthorized access to its network between May 29, 2024, and May 30, 2024. The hackers potentially obtained names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, and other treatment information.

Several lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kornegay et al. v. Heart South Cardiovascular Group, P.C. – in the Circuit Court of Bibb County, Alabama. The lawsuit asserted several claims: negligence for failing to implement appropriate safeguards to prevent unauthorized access to sensitive patient data, negligence per se, wantonness, breach of an express or implied contract, and unjust enrichment.

Heart South Cardiovascular Group denied all claims and contentions in the litigation and maintains there was no wrongdoing. The decision was taken to settle the lawsuit to avoid the costs, disruptions, and uncertainties associated with continuing the litigation. Under the terms of the settlement, Heart South Cardiovascular Group has agreed to establish a $500,000 settlement fund to cover attorneys’ fees (up to $186,666.66), attorneys’ expenses (yet to be determined), service awards to the class representatives ($4,000 for each of the 5 named plaintiffs), settlement administration costs (yet to be determined), credit monitoring services, and payments to class members.

Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach that happened on or after May 29, 2024, up to a maximum of $5,000 per class member. All class members may submit a claim for two years of Medical Shield Complete services, which include credit monitoring, dark web monitoring, real-time inquiry alerts, and a $1 million identity theft insurance policy. All class members may also submit a claim for a cash payment, which will be paid pro rata after fees, expenses, and claims have been paid, and is expected to be around $50.

The deadline for objecting to and opting out of the settlement is September 9, 2025, and the deadline for submitting a claim is October 9, 2025. A date has yet to be set for the final fairness hearing.

The post Medical and Dental Groups Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals

Posted by Steve Alder

Highlands Oncology Group, a comprehensive cancer care provider with six locations in Northwest Arkansas, has recently disclosed a cyberattack that was first identified on June 2, 2025. A hacker gained access to its network on January 21, 2025, and remained within the network undetected until June 2, 2025, when ransomware was used to encrypt files. Between those dates, there was intermittent access to the network, and patient data may have been viewed or acquired.

The files were reviewed and found to contain protected health information such as names, dates of birth, Social Security numbers, driver’s license/state identification numbers, passport numbers, credit/debit card numbers, financial account numbers, medical treatment information, medical record numbers, patient account numbers, and/or health insurance policy information. The types of data exposed or stolen varied from individual to individual.

The data breach was recently reported to the Maine Attorney General as involving the personal information of 113,575 individuals. Notification letters started to be mailed on August 1, 2025, and individuals whose Social Security numbers and/or driver’s license numbers were involved have been offered complimentary identity theft protection services. All individuals have been advised to remain vigilant against misuse of their information and should monitor their accounts, explanation of benefits statements, and credit reports closely for signs of data misuse.

While the name of the threat actor was not disclosed in the breach notification letters, the Medusa ransomware group claimed responsibility for the attack. Medusa is known to engage in double extortion, stealing data and demanding a ransom payment to prevent the publication of the stolen data and to provide the keys to decrypt the data. Medusa was the subject of a joint alert by CISA, the FBI, and MS-ISAC earlier this year after attacking more than 300 entities, including several healthcare providers. Medusa was behind the ransomware attack on the kidney dialysis giant DaVita earlier this year. Highlands Oncology Group was added to the Medusa data leak site temporarily, and a $700,000 ransom was demanded. There is currently no listing on the data leak site, which suggests the ransom was paid.

Highlands Oncology Group is one of several cancer care facilities to fall victim to cyberattacks in recent weeks. Last month, a phishing attack affected at least 26 cancer care providers who were part of the Integrated Oncology Network. This is not the first ransomware attack on Highlands Oncology Group, which experienced an attack in November 2023. A recent survey conducted on behalf of the cybersecurity firm Semperis revealed that 77% of healthcare organizations were targeted with ransomware in the past 12 months, 53% of those attacks were successful, and 60% faced multiple attacks.

The post Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals appeared first on The HIPAA Journal.