Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement

Posted by Steve Alder

Eastern Radiologists in North Carolina has agreed to pay $3.25 million to settle a class action lawsuit over a 2023 data breach that was reported to the HHS’ Office for Civil Rights as involving the protected health information of 886,746 patients. The Eastern Radiologists data breach that prompted the class action lawsuit was detected on November 24, 2023. The investigation confirmed that a threat actor had access to its network from November 20, 2023, to November 24, 2023, and copied files containing patient information. Data compromised in the incident included names, contact information, Social Security numbers, driver’s license numbers, financial account numbers, insurance information, procedure information, diagnoses, and imaging results.

Several class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, they were consolidated into a single lawsuit, Powers et al. v. Eastern Radiologists, Inc., in the General Court of Justice, Superior Court Division, in Pitt County, North Carolina. The consolidated class action complaint alleges that Eastern Radiologists failed to implement reasonable and appropriate cybersecurity measures, did not adhere to FTC guidelines on cybersecurity or follow industry standards, and that its conduct violated the Health Insurance Portability and Accountability (HIPAA). In addition to negligence, the lawsuit asserted claims of negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and violations of North Carolina’s Unfair and Deceptive Trade Practices Act.

Eastern Radiologists deny all claims and contentions in the lawsuit and maintain that there was wrongdoing. After considering the risks associated with the litigation and the costs of continuing with the lawsuit, all parties agreed to settle the litigation. Under the terms of the settlement, Eastern Radiologists will establish a $3,250,000 settlement fund out of which attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs will be deducted. The remainder of the fund will be used to pay benefits to the class members.

All class members may claim one year of medical account monitoring services and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. The cash payments for losses have been capped at $200,000 and will be paid pro rata should that total be reached. Alternatively, class members may claim a cash payment, which may be subject to a pro rata increase or decrease.

The deadline for exclusion and objection is October 28, 2025. Claims must be submitted by December 1, 2025, and the final approval hearing has been scheduled for December 15, 2025. Claims will be paid between 30 and 60 days after the final approval hearing.

The post Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement appeared first on The HIPAA Journal.

ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025

Posted by Steve Alder

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025

Posted by Steve Alder

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.