First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

First Choice Dental, a network of 12 dental clinics in Dane and Madison counties in Wisconsin, experienced a ransomware attack on October 22, 2023. A settlement has recently been agreed to resolve litigation stemming from the data breach.

As reported by The HIPAA Journal in January 2024, First Choice Dental issued an interim notification about the incident, alerting patients to the exposure of some of their protected health information. At the time of issuing, the investigation into the cyberattack was ongoing. The HHS’ Office for Civil Rights was provided with an interim total of 1,000 affected individuals.

First Choice Dental explained that unauthorized network activity was first identified on October 22, 2023, but it had yet to be determined how many individuals had been affected or the types of data involved. On July 12, 2024, 9 months after the attack, individual notification letters started to be mailed. Patients were told that the compromised information included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/government ID numbers, credit/debit card numbers, and health information. The HHS’ Office for Civil Rights breach portal still lists the data breach as affecting 1,000 individuals, although the breach was far more extensive than the breach portal suggests, affecting more than 159,000 individuals.

The first class action lawsuit over the data breach was filed by plaintiff Kelly Gorder on July 17, 2024, in the Dane County Circuit Court of the State of Wisconsin against FCDG Management, LLC, d/b/a First Choice Dental. A further six lawsuits were subsequently filed in response to the data breach, which were consolidated in a single action in the same court – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.

According to the consolidated class action complaint, the data breach could have been prevented if First Choice Dental had implemented reasonable and appropriate safeguards and followed industry-standard data security practices. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, and violations of Wisconsin Statute § 146.82.

First Choice Dental denies the claims and contentions in the lawsuit and maintains there was no wrongdoing and no liability, and on January 6, 2025, sought to have the class action lawsuit dismissed in its entirety. That attempt was partially successful, with the court dismissing the claims of invasion of privacy and unjust enrichment, but the other claims were allowed to proceed. After considering the time and expense of litigation and the uncertainty of a trial and related appeals, all parties engaged in mediation on July 1, 2025, and the principal terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court.

The settlement class consists of 159,145 individuals who were notified about the data breach. Those individuals are entitled to claim a three-year membership to the CyEx Medical Shield Monitoring product, which includes a $1 million identity theft insurance policy. In addition, class members may claim one of two benefits. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach up to a maximum of $6,000 per class member. Alternatively, a one-time cash payment of $50 may be claimed.

Claims will be paid after settlement administration costs, attorneys’ fees and expenses, and service awards have been paid, along with $225,000 of security improvements. The total settlement costs, inclusive of the above, have been capped at $1,225,000. Claims will be prorated downward if that total is exceeded.

The deadline for submitting a claim is January 28, 2026, and the final fairness hearing has been scheduled for January 12, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 29, 2025. Further information can be found on the settlement website: https://www.fcdgdatasettlement.com/

The post First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Healthcare Sees 224% Annual Increase in Attacks Targeting Mobile Devices

Posted by Steve Alder

There has been a significant increase in cyberattacks targeting Android mobile devices in critical infrastructure sectors in the past year, according to a new report from the cybersecurity firm Zscaler. The biggest increase was in the energy sector, which saw a 387% increase in mobile attacks, followed by healthcare (224%) and manufacturing (111%).

The Zscaler ThreatLabz team analyzed data collected from customers’ mobile and Internet of Things (IoT) devices between June 2024 and May 2025, the findings of which were published in Zscaler’s 2025 Mobile, IoT & OT Threat Report. “Mobile, IoT, and OT systems have become the backbone of business operations today, enabling innovation and powering critical infrastructure across industries,” explained Zscaler in the report. “Mobile devices now dominate global connectivity, while IoT and OT systems keep manufacturing, healthcare, transportation, and smart cities running.”

Attackers are taking advantage of the proliferation of mobile devices and the expanding web of connectivity. The increase in hybrid and remote working, along with bring-your-own-device policies, has been a contributory factor in the growth of attacks targeting mobile devices for initial access. In the year to May 2025, Android malware transactions increased by 67%, with 239 malicious Android applications downloaded 42 million times from the Google Play Store. Google has controls to prevent malicious applications from being uploaded to its Play Store, but the figures show that attackers are circumventing those controls and can easily infect mobile devices.

IoT devices have proliferated in sectors such as manufacturing and healthcare and have become foundational to operations, but these devices have drastically increased the attack surface and are an easy target for intrusions. IoT devices often have security weaknesses and contain vulnerabilities that can be targeted to breach corporate networks and disrupt operations, most commonly using malware families such as Mirai, Mozi, and Gafgyt for botnet expansion and malicious payload delivery.

The interconnectedness of critical infrastructure sectors such as energy and healthcare, combined with the critical role these sectors play in daily life and national security, makes them attractive targets for sophisticated cyber campaigns. In these sectors, there is low tolerance of downtime, and in healthcare, attackers can access valuable and highly sensitive healthcare data. Attackers are targeting these sectors with sophisticated attacks designed to maximize impact and financial gain.

Zscaler predicts that the coming year will see a continued increase in AI-driven exploits, including hyper-targeted phishing campaigns. AI-driven threats can be difficult to identify, and call for AI-driven defenses. IoT and OT ransomware attacks are likely to continue to increase, especially in industries such as manufacturing, energy, and healthcare.

Zscaler warns that attackers are likely to increasingly target mobile applications as supply chain attack vectors, especially third-party mobile app development pipelines to inject malicious code into widely trusted apps, which will require continuous analysis of app permissions and behavior. Industries such as healthcare that have seen a massive increase in attacks will need to ensure that they have a robust mobile device security strategy

One of the most important defenses against increasingly sophisticated threats is the implementation of zero-trust architectures, and Zscaler says it uis especially important to implement zero-trust frameworks for internet-facing devices such as routers and other edge devices.

The post Healthcare Sees 224% Annual Increase in Attacks Targeting Mobile Devices appeared first on The HIPAA Journal.