Class Action Data Breach Settlements Agreed with Three Healthcare Providers
Settlements have been agreed to resolve class action data breach lawsuits against Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood.
Hypertension Nephrology Associates Data Breach Settlement
Hypertension Nephrology Associates (HNA) in Willow Grove, Pennsylvania, has agreed to pay $625,000 to settle a class action lawsuit stemming from a January 2024 data breach. Unauthorized network access was detected on February 6, 2024, when a ransom note was found. A ransomware actor breached its network and stole the personal and protected health information of 39,491 patients, including health and financial information. HNA notified the affected individuals on May 17, 2024.
Plaintiff Patricia Kidwell filed a lawsuit – Kidwell v. Hypertension Nephrology Associates, P.C., – in the Court of Common Pleas of Montgomery County, Pennsylvania, alleging the cyberattack and data breach were due to the defendant’s failure to implement reasonable security protections in violation of the HIPAA Security Rule. The lawsuit also claimed that the defendant failed to detect the breach for two weeks and then delayed issuing notifications for three months, in violation of the HIPAA Breach Notification Rule. HNA offered the affected individuals 12 months of complimentary credit monitoring services, which the plaintiff claimed was wholly inadequate.
The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and invasion of privacy. HNA disagrees with all of the claims and maintains that there was no wrongdoing. Shortly after the lawsuit was filed, the plaintiff and defendant agreed to explore the possibility of an early resolution to the litigation, and following mediation, a settlement was agreed upon that was acceptable to all parties.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HNA will establish a $625,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and class representative awards. The remainder of the fund will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member. Alternatively, class members may submit a claim for a one-time cash payment, the amount of which will depend on the number of valid claims received. Regardless of the option chosen, all class members may also claim two years of credit monitoring and insurance services. The deadline for submitting a claim is January 20, 2026, and the final fairness hearing has been scheduled for February 18, 2026.
Asheville Arthritis and Osteoporosis Center Data Breach Settlement
Asheville Arthritis and Osteoporosis Center in North Carolina has agreed to settle a class action lawsuit that was filed in response to a May 2024 cyberattack and data breach that affected 58,251 patients. The attack occurred on or around May 22, 2024, and involved unauthorized access to patient information, including names, addresses, dates of birth, telephone numbers, Social Security numbers, medical notes, lab results, diagnoses, and health insurance information.
A lawsuit – Stiwinter et al. v. Asheville Arthritis and Osteoporosis Center – was filed by plaintiff Karen Stiwinter in the Superior Court of Buncombe County, North Carolina, which was later transferred to the North Carolina Business Court. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment, and sought damages, declaratory and injunctive relief. Asheville Arthritis and Osteoporosis Center denies any wrongdoing and disagrees with all claims asserted in the lawsuit; however, the decision was taken to settle the litigation to avoid the cost, time, and uncertainty of trial.
Asheville Arthritis and Osteoporosis Center will establish a $500,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards will be deducted. The remainder of the fund will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Class members not wishing to submit a claim for reimbursement of losses can choose to receive a one-time pro rata cash payment, estimated to be $100. The cash payments may be higher or lower depending on the number of valid claims received. The deadline for objection to and exclusion from the settlement is January 26, 2026, and all claims must be submitted by the same date. The final fairness hearing has been scheduled for February 9, 2026.
Intermountain Planned Parenthood Data Breach Settlement
A settlement has received final approval from the court to resolve class action litigation against Intermountain Planned Parenthood over an August 2024 data breach. Intermountain Planned Parenthood, doing business as Planned Parenthood of Montana, identified unauthorized access to its network on September 6, 2024, and determined that an unauthorized third party accessed its network on August 28, 2024, and may have obtained the personal and protected health information of up to 56,917 patients.
Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, health insurance information, provider names, dates of service, diagnosis information, treatment information, and prescription information. Two class action lawsuits were filed in response to the data breach in the Thirteenth Judicial District Court for Yellowstone County, which were consolidated into a single complaint – Nicole Downey & Sarah Suzanne Sullivan v. Intermountain Planned Parenthood, Inc. d/b/a Planned Parenthood of Montana. The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, breach of bailment, invasion of privacy, and unjust enrichment, all of which were denied by the defendant, along with all charges of liability or wrongdoing.
All parties agreed to settle the litigation to avoid the cost and uncertainty of trial. Under the terms of the settlement, class members may submit a claim for reimbursement of out-of-pocket losses and lost time up to a maximum of $5,000 plus a maximum of $80 for lost time (up to 4 hours at $20 per hour). In addition, all class members are entitled to claim a two-year membership to a medical data monitoring service, which includes a $1 million medical theft insurance policy. The deadline for submitting a claim is January 12, 2026.
