Dakota Eye Institute Settles Class Action Data Breach Lawsuit for $1 Million
Dakota Eye Institute, a multi-specialty group of board-certified ophthalmologists and optometrists based in Bismarck, North Dakota, has agreed to pay $1,000,000 to settle a consolidated class action lawsuit over an October 2023 data breach that affected 107,143 patients. Dakota Eye Institute said it detected a network intrusion in October 2023 and confirmed that sensitive patient data had been exfiltrated from its network. Data compromised in the incident included full names, date of birth, health insurance information, medical information, and Social Security numbers. Several class action lawsuits were filed in response to the data breach, which were consolidated in the District Court County of Burleigh South Central Judicial District, South Dakota, into a single complaint – In re Dakota Eye Institute Data Security Litigation – as the lawsuit had overlapping claims. The plaintiffs alleged that they suffered ascertainable losses and harm as a result of the data breach, including invasion of privacy, the loss of the benefit of the bargain, lost time, out-of-pocket...
New York Home Healthcare Provider Identifies Email Account Breach
Excellent Home Care Services in New York has identified unauthorized access to an employee’s email account. Sports Medicine & Orthopaedics in Rhode Island has discovered a ransomware attack on a server containing disused electronic health records. Excellent Home Care Services Excellent Home Care Services, LLC, in New York, has identified unauthorized access to an employee’s email account. Suspicious activity was identified in the account on November 25, 2025, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that the account was accessed by an unauthorized individual for a brief period, during which time files containing patient data may have been viewed. Excellent Home Care Services was able to identify the types of files that had been exposed, but not the files that were viewed. The affected data includes full names in combination with one or more of the following: address, phone number, date of birth, gender, Social Security number, Medicare/Medicaid number, and medical information related to your plan of care,...
De-identification of Protected Health Information: How to Anonymize PHI
The de-identification of Protected Health Information enables covered entities and business associates to use or disclose health information to third parties for any purpose without being restricted by the requirements of the HIPAA Privacy Rule. However, it is important to be aware that other laws may apply to uses and disclosures of de-identified health information. You can use our free Protected Health Information Guide to learn how to de-identify and anonymize PHI. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, health information can be freely disclosed. Why De-Identify Protected Health Information? Protected Health Information (PHI) is individually identifiable health information – whether digital, paper, or oral – that relates to an individual’s health condition, treatment for the condition, or payment for the treatment. To protect the information, the HIPAA Privacy Rule stipulates which uses and disclosures of PHI are required or permitted, which uses and disclosures require consent or...
Sunflower Medical Group to Pay Up to $1.2 Million to Settle Class Action Data Breach Lawsuit
Kansas City, KS-based Sunflower Medical Group has agreed to pay up to $1,200,000 to settle a class action lawsuit stemming from a December 2024 ransomware attack. The ransomware attack was conducted by the Rhysida ransomware group, which gained access to its network on or around December 15, 2024. Sunflower Medical Group determined on January 7, 2025, that sensitive patient data had been stolen, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information. Rhysida claimed to have exfiltrated a 3-terabyte SQL database in the attack, containing the data of approximately 400,000 patients. If a ransom is not paid, Rhysida attempts to sell the stolen data and leaks any unsold data on its dark web data leak site, as was the case in this attack. Sunflower Medical Group’s file review identified 220,968 affected individuals, although the class size of the lawsuit is 255,734 individuals. Several class action lawsuits were filed against Sunflower Medical Group over the data breach. The lawsuits were...
Former Evoke Wellness Employee Obtained and Misused Patient Data
A former employee of Evoke Wellness at Hilliard has stolen and misused patient data, Conifer Value-Based Care has experienced an email account breach, and patient data was potentially stolen in a break-in at a Heart of Texas Behavioral Health Network facility. Evoke Wellness at Hilliard OCAT, LLC dba Evoke Wellness at Hilliard, a provider of behavioral health services, has reported a data breach affecting patients of its Hilliard, Ohio facility. Evoke Wellness at Hilliard was notified by law enforcement on May 20, 2025, that sensitive data had been stolen from its systems, prompting an internal investigation. Law enforcement found stolen data in the possession of the individual, and the Evoke Wellness investigation confirmed unauthorized access to the records of 1,629 patients. Data obtained by the individual included full names, addresses, phone numbers, email addresses, Social Security numbers, medical records, diagnoses and treatment information, treatment dates, lab results, prescriptions, health insurance information, driver’s license numbers, passport numbers, payment card...



