In June of last year, we reported that a settlement had been agreed to resolve a class action lawsuit against Akeela, Inc., over a June 2023 cybersecurity incident and data breach. The case was stayed until July 18, 2025, and ahead of that date, the plaintiff was required to move for preliminary approval of class certification. Ahead of that date, the plaintiff, Jessica McRorie, dismissed her complaint without prejudice and immediately joined a separate complaint, Batin et al. v. Akeela, Inc., which made substantially similar allegations. The Batin case, filed in the Superior Court for Anchorage, Alaska, has recently been settled, and the settlement has received preliminary approval from the court.

The Batin case lists Jessica McRorie, Elynnie Batin, Jane Doe, Rocky Hawley, Andrew Metcalf, Thomas Maxim, and Kathleet Yarr (Personal Representative for the Estate of Ian Christiansen) as plaintiffs, who allege that their names, Social Security numbers, dates of birth, and medical diagnosis and treatment information were exposed to cybercriminals as a result of the negligence of Akeela. Akeela is alleged to have failed to adequately secure its network, which allowed cybercriminals to access patients’ sensitive data.

The defendant denies the claims and contentions in the lawsuit and disputes the facts, including that any damages have been suffered as a result of the data breach or that the action satisfies the requirements to be certified or tried as a class action. To avoid continuing with the litigation, which would likely be protracted and expensive, and to avoid the uncertainty of a trial, a settlement was agreed.

Compared to most settlement agreements to resolve class action data breach lawsuits, the benefits are limited. Class members may submit a claim for two years of credit monitoring and identity theft protection services, and a pro rata cash payment may be claimed. The cash payments will be paid from the remainder of a $50,000 settlement fund after credit monitoring costs have been deducted.  Attorneys’ fees and other costs and expenses will be paid separately by Akeela. The deadline for objection and exclusion is April 13, 2026; the claims deadline is May 25, 2026, and the final approval hearing has been scheduled for April 13, 2026.

June 4, 2025: Akeela Inc. Agrees to Settlement to Resolve Class Action Data Breach Litigation

Akeela Inc., an Anchorage, AK-based provider of mental health and substance use disorder treatment services, has agreed to settle a class action lawsuit filed in response to a 2023 data breach that exposed the protected health information of more than 284,000 individuals.

On or around June 22, 2023, Akeela experienced a disruption to its IT network. The forensic investigation confirmed there had been unauthorized network access and the exfiltration of administrative files containing patients’ protected health information. The stolen information included names, dates of birth, diagnosis and treatment information, and Social Security numbers.

In August 2024, a class lawsuit – Jessica McRorie v. Akeela Inc. – was filed in the United States District Court for the District of Alaska over the data breach. The lawsuit alleged Akeela was negligent by failing to secure and safeguard patients’ personally identifiable and protected health information and did not comply with industry-standard data security practices, even though there was a known risk that cybercriminals actively target healthcare providers. The lawsuit claims Akeela maintained sensitive data in a reckless manner, and as a direct consequence of its negligence, sensitive patient data is now in the hands of cybercriminals.

Further, when the breach was detected, Akeela delayed issuing notification letters to the affected individuals, who were informed that their sensitive data had been stolen more than a year after the data breach was identified. The lawsuit claims that the delay diminished the plaintiff and class members’ ability to timely and thoroughly mitigate and address the harms resulting from the data breach.

The lawsuit claims the plaintiff and class members have suffered concrete injuries as a result of the data breach, including financial costs from mitigating the risk and imminent threat of identity theft and fraud, lost of time and productivity, actual identity theft and fraud, deprivation of the value of their private information, loss of privacy, and emotional distress, anxiety, and stress. In addition to claims for negligence and negligence per se, the lawsuit asserted claims of breach of implied contract, breach of fiduciary duty, invasion of privacy, and unjust enrichment.

Akeela maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the healthcare provider agreed to settle the litigation to avoid further legal costs and the uncertainty of trial. Details of the settlement agreement have yet to be made public; however, the plaintiff and Akeela have reached an agreement in principle on an appropriate settlement. Notices for class members and the motion for preliminary approval from the court are now being prepared.

This post will be updated when the settlement receives preliminary approval from the court.

The post Akeela Data Breach Settlement Gets First Nod from the Court appeared first on The HIPAA Journal.

Essen Medical Associates has agreed to pay $4,000,000 to resolve class action litigation over a March 2023 cyberattack and data breach that affected 904,672 current and former patients. Essen Medical, a New York-based healthcare provider, experienced a cyberattack that saw hackers access its network between March 14, 2023, and March 22, 2023.

Data exposed in the incident included personally identifiable information and protected health information such as names, driver’s license numbers/state identification numbers, U.S. alien registration numbers, non-U.S. identification numbers, passport numbers, financial account information, dates of birth, Social Security numbers, medical treatment information, and health insurance information.

The data breach sparked several class action lawsuits, which were consolidated – Rivera, et al. v. Essen Medical Associates, P.C – in the Supreme Court of the State of New York, County of Bronx. The consolidated lawsuit alleged that the cyberattack was preventable and was the result of the defendant’s failure to implement adequate and appropriate cybersecurity procedures and protocols. The lawsuit claimed that the defendants recklessly maintained data on systems vulnerable to cyberattacks.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violation of the New York Deceptive Trade Practices Act. Essen Medical denies all charges of wrongdoing or liability, and all claims or contentions alleged against it. All parties agreed that a settlement was the best outcome, and class counsel and the six class representatives believe that the settlement is fair. The settlement has recently received preliminary approval from the court and awaits final approval.

Under the terms of the settlement, Essen Medical will establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and all costs related to the settlement. The attorneys’ fees will be no more than 33.33% of the settlement fund, and the service awards will be no more than $3,000 per class representative. The remainder of the fund will be used to pay for class member benefits.

Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition, a claim may be submitted for a cash payment of up to $100 per class member. The deadline for objecting to the settlement and exclusion is May 4, 2026. Claims must be submitted by June 1, 2026, and the final fairness hearing has been scheduled for July 7, 2026.

The post Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.