25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Atlantic General Hospital Settles Data Breach Lawsuit for $2.25 Million

Posted By on Aug 22, 2024

A $2.24 million settlement proposed by Atlantic General Hospital in Berlin, MD, to resolve a class action lawsuit stemming from a 2023 ransomware attack has received preliminary approval from the court. The nonprofit hospital, part of the Atlantic General Health System, discovered the ransomware attack on January 29, 2023, when files were encrypted. The attack caused disruption to patient services for several days due to the inability to access patient records and IT systems. The ransomware group had access to its network from January 20, 2023, to January 29, 2023.

The initial findings of the investigation indicated around 30,400 individuals had been affected and notifications were issued on March 24, 2024; however, as the investigation progressed it became clear that more data was involved than previously thought, bringing the total affected up to 136,981. Data compromised in the attack included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical histories, diagnosis and treatment information, and financial information. The affected individuals were offered one year of complimentary credit monitoring services.

Multiple lawsuits were filed against Atlantic General Hospital over the attack, which were consolidated in a single class action in the U.S. District Court for the District of Maryland. The amended lawsuit names Michael Rentschler, Cathy Ehrisman, Heather Byam, and Kathleen G. Appel as plaintiffs and includes a class of similarly situated individuals whose sensitive data was compromised in the ransomware attack.

The lawsuit alleged Atlantic General Hospital was negligent due to a “negligent, reckless, intentional, and or unconscionable failure to adequately satisfy its contractual, statutory, and common-law obligations,” including HIPAA, FTC guidelines, and industry-standard data protection protocols.  The lawsuit alleged that Atlantic General Hospital could have prevented the data breach by encrypting sensitive data on its network, and failed to detect the intrusion for more than a week.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit also alleged a failure to issue timely notifications to the individuals affected and then failed to include important information in the notification letters, such as the length of time the hackers had access to its network, and the full extent of information involved in the breach. While credit monitoring services were offered, the plaintiff and class were only offered 12 months of services, when the risk of misuse of their data is likely to remain for the remainder of their lives.

The amended lawsuit asserted claims of negligence, breach of implied contract, bailment, unjust enrichment, and a violation of the Maryland Consumer Protection Act, and sought a jury trial, damages, legal costs, attorneys’ fees, and injunctive relief. Atlantic General Health System proposed the settlement to avoid ongoing legal costs and the uncertainty of trial; however, denies all charges of liability and wrongdoing and each of the claims and the contentions alleged in the lawsuit.

Under the terms of the settlement, a fund of $2,250,000 will be created to cover all claims, legal expenses, and attorneys’ fees. The attorneys are seeking one-third of the settlement, or $750,000. Class members may submit a claim for up to $5,000 for reimbursement of documented losses, or alternatively can choose to receive a cash payment, which will be paid pro rata after all costs, fees, and claims have been paid. In addition to one of those benefits, class members may also claim 3 years of credit monitoring and insurance services.

The court has granted preliminary approval of the settlement, and the final fairness hearing is scheduled for September 5, 2024. The final date for submitting a claim is August 22, 2024. The plaintiffs and the class were represented by attorneys from Kramon & Graham; Cafferty Clobes Meriwether & Sprengel; and Millberg Coleman Bryson Phillips Grossman.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist