City of Hope Settles Class Action Data Breach Lawsuit
City of Hope, a Duarte, California-based non-profit clinical research and cancer treatment center, has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 827,000 individuals. Hackers had access to the City of Hope network between September 2023 and October 2023, and exfiltrated sensitive data.
Several class action lawsuits were filed over the data breach, as detailed in previous coverage by The HIPAA Journal below. The lawsuits had overlapping claims and were consolidated – In re City of Hope Data Security Breach Litigation – in the Superior Court of the State of California for the County of Los Angeles. The consolidated lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. City of Hope maintains there was no wrongdoing or liability. Following mediation, all parties reached an agreement in principle to settle the lawsuit to avoid the cost, time, risks, and uncertainty associated with continuing with the litigation. The terms of the settlement have now been agreed, and the settlement has received preliminary approval from the court.
City of Hope has agreed to establish an $8,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards, and benefits for the class members. Class members may claim up to $5,000 in reimbursement for documented, unreimbursed losses fairly traceable to the data breach, which may include up to four hours of lost time at $25 per hour. Alternatively, class members may submit a claim for a cash payment estimated to be $100. The cash payments may be increased or decreased pro rata depending on the remaining funds after attorneys’ fees, expenses, administration costs, service awards, reimbursement claims, and credit monitoring costs have been paid.
All class members who submit a claim for reimbursement of documented losses or the alternative cash payment will receive a code that can be used to enroll in a medical information and protection service from CyEx, which includes single-bureau credit monitoring and protection against medical fraud. Class members who resided in California at any point between September 19, 2023, and January 13, 2026, are entitled to claim an additional cash payment of $250, which may also be adjusted pro rata.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Individuals who wish to object to or be excluded from the settlement have until December 15, 2025, to do so, and all claims must be submitted by January 13, 2026. The final approval hearing has been scheduled for February 20, 2026.
April 25, 2024: Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach
Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.
City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.
Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.
The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.
