Hillcrest Convalescent Center Settles Class Action Data Breach Litigation
Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.
Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.
The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.
During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.
