Boston Children’s Health Physicians Pays $5.15M to Settle Data Breach Lawsuit
Valhalla, NY-based Boston Children’s Health Physicians (BCHP) and ATSG Inc. have agreed to pay $5,150,000 to settle a class action lawsuit stemming from a September 2024 cyberattack and data breach that affected approximately 918,000 individuals.
BCHP is a multi-specialty pediatric group serving newborns and children in New York and Connecticut. On September 6, 2024, BCHP learned that a hacking group had gained access to systems of its managed services provider (ATSG Inc. – now XTIUM Inc.), and on September 10, 2024, the hacking group abused the IT vendor’s access to breach its own systems.
The Bianlian hacking group claimed responsibility for the attack and gained access to names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and limited treatment information. The breach was reported to the HHS as involving the protected health information of 909,469 patients, and employee data was also compromised, with approximately 918,000 individuals in total affected by the breach.
Five lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Noni Wahab, et al. v. Boston Children’s Health Physicians, LLP and ATSG Inc.– in the Supreme Court of the State of New York, County of Westchester. The consolidated class action complaint alleged negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and a violation of New York General Business Law.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendants maintain there was no wrongdoing and no liability; however, they chose to settle the lawsuit to avoid the litigation costs, expenses, distractions, burden, and disruption to business operations associated with continuing with the litigation. Under the terms of the settlement, the defendants will establish a $5,150,000 settlement fund to cover attorneys’ fees (up to $1,716,667), attorneys’ expenses (yet to be determined), service awards to the class representatives ($2,500 for each of the named plaintiffs), credit monitoring costs (yet to be determined), settlement administration costs (yet to be determined), and payments to class members.
Two cash payments are available. Class members may submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid after all costs and claims have been paid. The cash payment is expected to be $100, but may be increased or decreased depending on the number of claims received.
In addition to a cash payment, class members may claim two years of Cyex Medical Shield Medical Data Monitoring, which includes medical identity monitoring, real-time alerts, and a $1 million identity theft insurance policy. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 10, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by November 10, 2025, and claims must be submitted by November 25, 2025. Further information is available on the settlement website: https://bchpsettlement.com/
