25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

McPherson Hospital Agrees to $500,000 Settlement to Resolve Class Action Data Breach Lawsuit

Posted By on Jan 14, 2025

McPherson Hospital, a 25-bed critical access hospital in Kansas, has agreed to a $500,000 settlement to resolve a class action lawsuit that alleged the hospital was negligent as it failed to implement reasonable and appropriate safeguards to protect patient data. According to the lawsuit, had those safeguards been implemented the data breach could have been prevented.

McPherson Hospital mailed notification letters to 19,020 patients in May 2023 informing them that some of their protected health information was accessed and potentially stolen in a July 2022 ransomware attack. The ransomware group accessed its network after an employee responded to a phishing email and disclosed their credentials. The investigation and file review confirmed on March 15, 2023, that patient data had potentially been viewed or stollen in the attack, including names, dates of birth, Social Security numbers, medical treatment information, billing information, and health insurance information. The affected individuals were offered 12 months of complimentary single-bureau credit monitoring services.

Individuals affected by the data breach took legal action – In re: McPherson Hospital Data Security Incident Litigation – against the hospital over the data breach in McPherson County District Court in the Ninth Judicial District of Kansas. McPherson Hospital chose to settle the lawsuit with no admission of wrongdoing to bring the litigation to an end to prevent further legal costs and avoid the uncertainty of trial.

Class members may submit claims for reimbursement of documented ordinary losses up to $400, including up to 3 hours of lost time at $30 per hour. Claims may be submitted for documented extraordinary losses due to identity theft and fraudulent account charges up to a maximum of $5,000. Cash payments of $75 may be claimed by individuals who do not submit claims for reimbursement of losses. The cash awards may be paid pro rata depending on the number of claims received. In addition to the above benefits, all class members will be provided with three years of free credit monitoring services. Claims must be submitted by January 29, 2025, and the final approval hearing is scheduled for February 5, 2025.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist