Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit
Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.
The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.
Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.
Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals. Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.
The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.
