Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit

Posted by Steve Alder

Akumin, a Florida-based provider of outpatient radiology and oncology services with locations in more than 20 U.S. states, has agreed to settle a class action lawsuit stemming from an October 2023 cybersecurity incident.

Akumin identified suspicious network activity on October 11, 2023, and confirmed that a threat actor accessed its network on October 11, 2023, and used ransomware to encrypt files.  The files potentially accessed and/or copied by the threat actor included patient and employee information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, Medicare/Medicaid numbers, financial account information, health information, occupational health information, medical images, biometric information, billing and claims information, health insurance information, electronic signatures and other sensitive data.

The security incident was announced by Akumin on its website on October 12, 2023, and the data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 7,127 individuals.  Notification letters were sent to those individuals on December 29, 2023, and around a year later, on December 23, 2024, notification letters were mailed to the further affected individuals.

Several class action lawsuits were filed against Akumin over the data breach, which were consolidated into a single lawsuit – Gina Letizio, et al. v. Akumin Operating Corp. – in the Circuit Court of the 17th Judicial Court in and for Broward County, Florida. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment, and declaratory judgment. Akumin denies any wrongdoing and maintains there is no liability but chose to settle the lawsuit to avoid the litigation costs and expenses, distractions, burden, and disruption to its business operations associated with continuing with the litigation. The plaintiffs believe their claims are valid but agreed to settle the lawsuit for similar reasons.

Under the terms of the settlement, Akumin has agreed to establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for each of the named plaintiffs. After those costs have been paid, the remaining funds will be used to pay benefits to the class members. All class members are entitled to submit a claim for a cash payment to reimburse them for documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member. In addition to the cash payment, class members may also claim one year of free medical data monitoring services.

The deadline for objection to and exclusion from the settlement is November 30, 2025, and claims must be submitted by the same date. The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for December 15, 2025. Further information can be found on the settlement website, https://akumindataincidentsettlement.com/

The post Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit appeared first on The HIPAA Journal.

Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group

Posted by Steve Alder

Data breaches have recently been announced by Watsonville Community Hospital and Palomar Health Medical Group in California, and the Phia Group in Massachusetts.

Watsonville Community Hospital

Watsonville Community Hospital in California is notifying individuals affected by a November 2024 security incident. Suspicious activity was identified within its computer systems on November 29, 2024, and the investigation confirmed that there had been unauthorized access to its network from November 25, 2024, to November 30, 2024, when the hackers were ejected from its network. The investigation confirmed that files containing patient information were either accessed or downloaded during those five days.

The file review confirmed that the data compromised in the incident included names, addresses, and driver’s license numbers or government ID numbers, with the exposed data varying from individual to individual. Notification letters started to be sent to the affected individuals on December 30, 2024; however, the file review was not completed until September 22, 2025. The final batch of notification letters started to be mailed on October 15, 2025.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. Watsonville Community Hospital has implemented additional cybersecurity safeguards and has provided further training to its workforce. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Palomar Health Medical Group

Arch Health Partners, Inc., doing business as Palomar Health Medical Group, in Poway, California, has started notifying patients about a data security incident first identified on May 5, 2024. Palomar Health Medical Group launched an investigation into suspicious network activity and confirmed that an unauthorized threat actor gained access to certain files on its network on April 23, 2024, and maintained access until the data breach was detected on May 5, 2024. During that time, files may have been copied that contained patient information.

The data compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, military identification numbers, passport numbers, U.S. alien registration numbers, financial account information, payment card information, health savings account information, medical histories, diagnostic information, treatment information, biometric data, medical record numbers, Medicare/ Medicaid identification numbers, patient account numbers, health insurance information, email addresses and passwords, and usernames and passwords.

Palomar Health Medical Group had previously announced the cyberattack and data breach; however, it took until September 4, 2025, to finish the review of the affected files to allow notification letters to be sent. Complimentary credit monitoring and identity theft protection services have been made available for 12 or 24 months, and steps have been taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The Phia Group

The Phia Group, a Canton, Massachusetts-based provider of outsourced cost containment and payment integrity solutions to healthcare payers, has recently notified the Massachusetts Attorney General about a recent data security incident. The notice is a copy of the data breach notifications sent to the affected individuals, and it provides no information about the nature of the data breach, such as when it occurred, when it was detected, or the cause of the breach. The data potentially compromised in the incident includes names, Social Security numbers, and medical record numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

This post will be updated when further information becomes available.

The post Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group appeared first on The HIPAA Journal.