Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation
Cardiovascular Consultants in Arizona has settled a class action lawsuit stemming from a 2023 data breach involving the protected health information of 484,000 individuals. The data breach was detected on September 29, 2023, and the forensic investigation determined that a hacker had gained access to its network two days previously. Files containing patient information were exfiltrated before ransomware was used to encrypt files.
The compromised files contained patient and guarantor information, including names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Notification letters were mailed on December 2, 2023.
A class action complaint was filed in December 2023 by plaintiffs Michele Stroup and Georgios Asimakopoulos, and additional plaintiffs later joined the litigation as class representatives. The defendant denied all claims in the lawsuit and sought to have the lawsuit dismissed. That attempt was only partially successful, with a judge granting and denying the motion to dismiss in part. An amended complaint – Stroup, et al. v. Cardiovascular Consultants Ltd. – was filed, which is pending in the Superior Court of the State of Arizona, County of Maricopa.
The lawsuit alleged that the defendant failed to implement reasonable security protections to safeguard its information systems and databases, and that the handling of the data breach was deficient, with notifications unreasonably delayed. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy, all of which were denied by the defendant.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Following mediation, a settlement was agreed that was acceptable to all parties, allowing them to avoid further litigation costs and the uncertainty of a trial. Under the terms of the settlement, Cardiovascular Consultants has agreed to establish a $3,850,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees and expenses, notice and administration costs, and service awards for the class representatives.
The remainder of the settlement fund will be used to pay benefits to the class members. Class members may claim two years of medical monitoring plus one or two cash payments – a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member and/or a pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 18, 2026. Individuals wishing to object to the settlement or exclude themselves must do so by June 1, 2026. The deadline for submitting a claim is July 1, 2026.
