Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement

Posted by Steve Alder

Morris Hospital & Healthcare Centers has agreed to settle a consolidated class action lawsuit that alleged negligence for failing to prevent an April 2023 data breach that affected 248,943 individuals. Under the terms of the settlement agreement, Morris Hospital will establish a $1,361,571.77 settlement fund to cover attorneys’ fees, legal expenses, and benefits for the class members.

In April 2023, Morris Hospital identified unauthorized access to its network. Hackers had access to the personal and protected health information of current and former patients, employees, and their dependents and beneficiaries.  The Royal ransomware group was behind the attack and posted the stolen data on its data leak site. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois – In re: Morris Hospital Data Breach Litigation. In addition to negligence, the lawsuit asserted claims of negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Morris Hospital denies all allegations of wrongdoing and liability, while the plaintiffs believe the claims have merit. All parties agreed to a settlement, which was viewed as being in the best interests of all parties considering the risks and costs of continuing with the litigation. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 24, 2025. Benefits for class members will be paid after all costs and expenses have been deducted from the settlement fund, which includes up to $453,857.26 for attorneys’ fees, $2,000 service awards for each of the 13 named plaintiffs, and yet to be determined settlement administration costs, and attorneys’ expenses.

All class members may submit a claim for 24 months of comprehensive credit monitoring and identity theft protection services through CyEx Medical Shield Total. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. If a claim for losses is not submitted, class members may instead claim a pro rata cash payment, which is expected to be approximately $100, depending on the number of claims received. Further information can be found on the settlement website: https://www.morrishospitalsettlement.com/

Individuals wishing to object to or be excluded from the settlement have until September 29, 2025, to do so, and all claims must be submitted by October 28, 2025.

The post Morris Hospital Agrees to $1.36M Class Action Data Breach Settlement appeared first on The HIPAA Journal.

Business Associate Hacking Incident Affects Keys Pathology Patients

Posted by Steve Alder

A cyberattack on a business associate has resulted in unauthorized access to the protected health information of patients of Keys Pathology Associates in Texas. Assisted Living patients of Pharmacy Service in Wisconsin and the American Association of Critical-Care Nurses in California have also announced data breaches.

Keys Pathology Associates, Texas

In July 2025, Keys Pathology Associates in Marathon, Texas, reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected up to 20,000 individuals. The Maine Attorney General has now been notified, and the breach report indicates fewer individuals were affected than the initial estimate: 13,756 individuals, including 26 Maine residents.

The incident did not occur at Keys Pathology, but rather at a business associate that Keys Pathology used for billing services.  The vendor, Genesis Billing Services in North Carolina, was provided with patient data, which was maintained on a third-party server outside the control of Keys Pathology. Keys Pathology was notified by its vendor on May 27, 2025, that an unauthorized third party had accessed the server on or around May 20, 2025, and deployed ransomware after downloading all data from the server.  On August 21, 2025, Keys Pathology was provided with an unstructured data file containing the copied data, and work commenced on deciphering patient names and contact information. Notification letters are now being sent, and complimentary single-bureau credit monitoring, credit score, and credit report services have been offered.

Data potentially stolen in the incident varies from individual to individual and may include first and last names, addresses, dates of birth, phone numbers, Social Security numbers, driver’s license numbers, and health information. Keys Pathology said it takes data security seriously, which was a major reason why a third-party vendor was used to host patient data. As a result of the data breach, Keys Pathology has stopped using Genesis for billing services.

Assisted Living Pharmacy Service, Wisconsin

Assisted Living Pharmacy Service LLC (ALPS) in Menomonee Falls, Wisconsin, has announced a cyberattack that was identified on or around June 26, 2025. According to its substitute breach notice, the investigation confirmed unauthorized access to its network between June 25, 2025, and June 27, 2025, during which time certain data on the network was either accessed or acquired.

A review of the affected files determined that they included faxes sent to ALPS in connection with the prescription services it provided between January 2024 and June 2025. The faxes contained names along with addresses, dates of birth, driver’s license/state identification numbers, other identifiers, Social Security numbers, diagnosis/condition information, lab test results, medications, other treatment information, claims information, financial account or payment card information, and/or other financial information.

The affected individuals have been advised to monitor their accounts, explanation of benefits statements, and free credit reports for suspicious activity. While not mentioned in the breach notice, the attack appears to have been conducted by the Qilin ransomware group, which claimed responsibility for the attack and added ALPS to its dark web data leak site on August 12, 2025. The listing includes limited examples of files stolen in the attack, some of which are face sheet profiles of residents. Currently, there has been no data dump. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The American Association of Critical-Care Nurses, California

The American Association of Critical-Care Nurses (AACN) in Aliso Viejo, California, has recently disclosed a data breach that has affected 57,526 individuals. AACN is a nonprofit specialty nursing organization that provides professional and personal support to its members. While not a HIPAA-regulated entity, AACN likely provides support services to some HIPAA Journal readers.

On July 31, 2025, AACN determined that its website payment system had been accessed by an unauthorized third party beginning on March 8, 2025. Payment card information associated with certain website transactions was accessed by an unauthorized third party. Since it was not possible to determine whose payment card information was accessed, notification letters were sent to all potentially affected individuals. Data potentially accessed included names, card numbers, expiry dates, CVVs, and contact information associated with transactions on the site, which may have included billing and shipping addresses, phone numbers, and email addresses. The affected individuals have been offered two years of complimentary credit and identity monitoring services, and security enhancements have been made to prevent similar incidents in the future.

The post Business Associate Hacking Incident Affects Keys Pathology Patients appeared first on The HIPAA Journal.

Two Disability Service Providers Announce Data Breaches Affecting 8,100 Patients

Posted by Steve Alder

Two providers of disability services have announced security incidents. The cyberattacks on Reimagine Network in California and the Center for Disability Services in New York have affected more than 8,100 individuals.

Reimagine Network, California

Reimagine Network, a Santa Ana, California-based provider of disability services, recently reported a data breach to the HHS’ Office for Civil Rights that has affected up to 4,799 individuals. Network disruption was experienced on June 23, 2025, indicative of a cyberattack. Third-party cybersecurity experts were engaged to investigate and confirmed unauthorized network access and the potential exfiltration of files containing sensitive patient data.

The file review was completed on August 6, 2025, and notification letters have now been sent to all potentially affected individuals. The types of information involved vary from individual to individual and may include names plus one or more of the following: address, phone number, date of birth, Social Security number, diagnosis/conditions, medications, and health insurance information.

IT security experts have assessed the security of its network, and security enhancements have been made to prevent similar incidents in the future. Complimentary credit monitoring services and identity theft protection services have been offered to all affected individuals, who have been encouraged to sign up for those services to ensure their information is protected.

Center for Disability Services, New York

The Center for Disability Services in Albany, New York, has provided more information on a data security incident reported to the HHS’ Office for Civil Rights on August 8, 2025. On or around June 10, 2025, suspicious activity was identified in an employee’s email account. The account was secured, and an investigation was launched to determine the cause of the activity.

The investigation confirmed unauthorized access to the employee’s email account and other employee email accounts between June 19, 2025, and June 25, 2025. The accounts were reviewed and found to contain the protected health information of 3,343 individuals, including names, demographic information, medical information, and health insurance information. A limited number of the affected individuals also had their Social Security numbers, driver’s license numbers/state identification card numbers, and/or financial account information exposed.

The Center for Disability Services is reviewing its data security policies and procedures and will take steps to prevent similar incidents in the future.

The post Two Disability Service Providers Announce Data Breaches Affecting 8,100 Patients appeared first on The HIPAA Journal.

Senators Demand Answers from UHG on Aggressive Loan Repayment Tactics Following Cyberattack

Posted by Steve Alder

Senate Finance Committee Ranking Member Ron Wyden (D-OR) and Senate Banking Committee Ranking Member Elizabeth Warren (D-MA) have demanded answers from UnitedHealth Group about the alleged aggressive tactics being used to recover the funds lent to healthcare providers following the ransomware attack on Change Healthcare last year.

Change Healthcare fell victim to a ransomware attack in February 2024, causing a prolonged outage of Change Healthcare’s systems, which handled approximately 45% of all healthcare transactions at the time of the attack. Providers were reliant on those systems for obtaining authorization and payment from health insurers, and the outage caused severe payment and reimbursement problems, with providers having to cover the costs of treatment, tests, vaccinations, and even prescriptions. Patients also faced disruptions, especially those unable to afford to pay for their medications without copay assistance.

UnitedHealth Group, through its industrial bank subsidiary Optum Financial, established a temporary funding assistance program, which provided interest-free loans to hospitals and medical practices experiencing financial difficulties due to the outage. More than $9 billion in loans were paid to struggling providers. Systems were brought back online after several months; however, the financial difficulties have continued for many providers, who are now having to repay the loans. There have been multiple reports that UnitedHealth Group has been adopting aggressive tactics to recover funds, including withholding payments or health insurance claims through its insurance subsidiary UnitedHealthcare.

“These reports are particularly troubling because they underscore the extraordinary market power of United’s massive, vertically-integrated conglomerate: the problem was caused by a breach of United’s payment clearinghouse, Change; the loans were offered by United’s industrial bank, Optum Financial; and now the company is using its insurance arm as a collection tool,” explained the senators in the August 27, 2025 letter to UnitedHealth Group CEO, Stephen J. Hemsley, and Optum Financial CEO, Dhivya Suryadevara.

UnitedHealth Group has been accused of using loan shark tactics to recover the loans, including refusing to negotiate payment plans. Providers have claimed they were told to immediately repay the loans in full, which in some cases runs to hundreds of thousands of dollars. Some have been threatened with withholding all current claims payments if the debt is not repaid within five business days, and funds will be withheld until the debt is repaid in full. Further, claims have allegedly been rejected for failing to meet the filing deadline from the period after the cyberattack, when Change Healthcare’s systems were offline.

UnitedHealth had previously told the Senate Committee on Banking, Housing, and Urban Affairs and the Senate Committee on Finance that loan recipients were given 45 days to repay the loans, and UnitedHealth Group contacted each multiple times during those 45 days. If no response was received after the 45-day period, providers were contacted and told to pay within five business days. Then, if no response is received, claims will be offset and moved into recoupment. If providers cannot repay within that time frame, UnitedHealth Group suggested that they would work out a mutually agreeable repayment plan.

The senators have demanded answers from UnitedHealth Group and Optum Financial on the loan repayment process and have requested answers to the following questions by September 12, 2025.

  1. Provide data indicating the total number of loans lent to providers from March 2024 to present.
  2. Provide documents detailing the process and criteria that Optum Financial used to distribute funds to providers who were adversely impacted by the February 2024 attack.
  3. Provide documents detailing Optum Financial’s repayment process.
  4. Provide a copy of any and all written agreements that were given to providers when they accepted funds.
  5. Provide any and all copies of express repayment plans that Optum Financial offers to health care providers who accepted funds.
  6. Provide documents detailing redress options that Optum Financial makes available to providers who are unable to repay funds within 45 days of initial notification.
  7. Does Optum Financial plan to outsource collection efforts to a third-party?
  8. Provide documents related to any intercompany loans that were made to Optum Financial, if applicable.
  9. Did United Health or Optum Financial solicit or use third-party financing for the purposes of making either loans to providers or intercompany loans? If yes, provide details.

The post Senators Demand Answers from UHG on Aggressive Loan Repayment Tactics Following Cyberattack appeared first on The HIPAA Journal.