Tangoe Data Breach Settlement Receives Preliminary Approval

Posted by Steve Alder

Tangoe, a provider of software solutions for managing telecom, mobile, and cloud expenses, has agreed to a settlement to resolve a class action lawsuit stemming from a November 2022 security incident. Tangoe experienced a cyberattack, exposing sensitive data such as names, dates of birth, Social Security numbers, medical information, health insurance information, medication information, billing and claims information, and financial account information. Hackers had access to its systems between November 15, 2022, and November 17, 2022.

The breach affected some of its healthcare clients and involved unauthorized access to the protected health information of 4,765 individuals, according to the breach notice filed with the HHS’ Office for Civil Rights. While the breach occurred in November 2022, it took until November 1, 2023, for the affected individuals to be notified. A lawsuit – Kevin McLinden v. Tangoe US, Inc.– was filed in the Superior Court for Marion County, Indiana, over the data breach, alleging Tangoe failed to implement reasonable and appropriate cybersecurity measures, leading to an entirely preventable data breach. Tangoe denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

After prolonged and extensive arm’s length negotiations, all parties agreed to a settlement to avoid the expense and length of protracted litigation and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to claim two years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition to the credit monitoring services, class members may claim one or more cash payments.

A claim may be submitted for compensation for documented, unreimbursed ordinary losses due to the data breach incurred between November 2022 and June 3, 2026. Claims for reimbursement of ordinary losses have been capped at $750 per class member. A claim may also be submitted for compensation for lost time up to a maximum of four hours at $25 per hour ($100). The lost time claims are included in the $750 ordinary losses cap.

A claim may also be submitted for reimbursement of extraordinary losses, such as documented, unreimbursed losses due to identity theft and fraud. Claims for extraordinary losses have been capped at $5,000 per class member. If a claim for reimbursement of losses/lost time is not submitted, class members are eligible to claim an alternative pro rata cash payment. The cash payments will be paid from the remainder of the settlement fund, and are expected to be around $50, but may be higher or lower depending on the number of claims received. No proof is required to submit a claim for an alternative cash payment.

The deadline for exclusion and objection to the settlement is May 4, 2026. Claims must be submitted by June 3, 2026, and the final fairness hearing has been scheduled for June 11, 2026. Individuals who do nothing will receive no benefits and will lose the right to sue the defendant over the data breach or participate in other lawsuits related to the data breach.

The post Tangoe Data Breach Settlement Receives Preliminary Approval appeared first on The HIPAA Journal.

North Texas Behavioral Health Authority Data Breach Affects 285K Individuals

Posted by Steve Alder

North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Dallas, Ellis, Hunt, Kaufman, Navarro & Rockwall counties, has notified the Department of Health and Human Services (HHS) Office for Civil Rights about a breach of the protected health information of 285,086 individuals. The data breach is the 6th largest data breach reported to OCR so far in 2026.

NTBHA identified unauthorized activity within its computer systems on or around October 15, 2025, and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party accessed its network between October 13, 2025, and October 15, 2025, during which time files containing patient information may have been viewed or acquired.

It took around three months to review the affected files, and on January 7, 2026, NTBHA confirmed that some of the files contained personal information. The substitute data breach notice does not list the types of data involved, although for some individuals, Social Security numbers were exposed. NTBHA said that at the time of issuing breach notification letters, no evidence had been found of any actual or attempted misuse of the impacted information.

Notification letters started to be sent to the affected individuals on March 6, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. NTBHA said it continually evaluates its privacy and security measures and has taken steps to augment security following this incident. They include resetting passwords, expanding multi-factor authentication, and deploying advanced endpoint detection and response tools and services. At present, no threat actor appears to have claimed responsibility for the incident. Several law firms have opened investigations in response to the data breach and are considering filing class action lawsuits.

The post North Texas Behavioral Health Authority Data Breach Affects 285K Individuals appeared first on The HIPAA Journal.

Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals

Posted by Steve Alder

Saint Anthony Hospital, a nonprofit, faith-based, acute care, community hospital in Chicago, has started notifying individuals about unauthorized access and/or theft of some of their personal and protected health information. The substitute breach notification does not state when the unauthorized access was detected, only that an unauthorized third party accessed and/or acquired certain files and folders of unstructured data from its email system on February 27, 2025. The forensic investigation confirmed that electronic medical records were not affected by the incident.

More than a year after the unauthorized access occurred, notification letters are being sent to the affected individuals. Saint Anthony Hospital said the third-party specialists engaged to review the affected files completed their review on February 13, 2026, and notification letters started to be mailed to the affected individuals on March 6, 2026, after the results of the data review were verified and contact information was obtained.

The substitute breach notice on the Saint Anthony Hospital website does not state what types of information were involved; however, the hospital had previously disclosed in November 2025 that names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and medical histories were involved. Back in November, the hospital reported that approximately 6,600 patients and employees had been affected; however, the breach notice submitted to the HHS’ Office for Civil Rights shows that the breach was much larger, involving the protected health information of 146,108 individuals.

While no evidence has been found to suggest any actual or attempted misuse of patient data, the affected individuals have been advised to exercise caution and monitor their free credit reports, financial accounts, and explanation of benefits statements carefully for signs of data misuse. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.

The post Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals appeared first on The HIPAA Journal.