Columbia University Health Care to Pay $600,000 to Settle Data Breach Lawsuit
Columbia University Health Care (CUHC) has agreed to pay $600,000 to settle a class action lawsuit over a cybersecurity incident that affected 29,629 current or former patients. The data breach in question occurred between September 11, 2023, and March 7, 2024, when cybercriminals had access to an Internet-accessible platform used by Columbia University Irving Medical Center, the academic medical center of Columbia University, and the largest campus of New York-Presbyterian Hospital. Columbia University and New York-Presbyterian participate in an Organized Health Care Arrangement. The hackers were able to access sensitive healthcare information, including names, medical record numbers, dates of birth, provider names, and a single laboratory test result. Notification letters were mailed to the affected individuals in May 2024.
In July 2024, a lawsuit was filed against New York-Presbyterian Columbia University Irving Medical Center by Juanita Huggins, and a second lawsuit was filed in October 2024 by Margaret Nemeth. The defendant, New York-Presbyterian Hospital, was dismissed, and the litigation continued as Margaret Nemeth, et al. vs. Columbia University Health Care, Inc., in the Supreme Court of the State of New York, County of New York
The lawsuit alleged that CUHC failed to implement and maintain adequate security measures to protect the private information of patients in its possession and should have prevented the data breach. CUHC disagrees with the claims and contentions in the lawsuit and maintains there was no wrongdoing. Following mediation on April 18, 2025, the material terms of a settlement were agreed upon, and the settlement agreement has received preliminary approval from the court.
Under the terms of the settlement, CUHC has agreed to establish a $600,000 settlement fund, which will be used to cover attorneys’ fees and expenses, service awards for the class representatives, settlement administration costs, and benefits for the class members. All class members are entitled to claim a two-year subscription to the CyEx Medical Shield Complete service, which includes single-bureau credit monitoring, dark web monitoring, Medicare beneficiary monitoring, medical record number monitoring, health savings account monitoring, national provider identifier monitoring, high-risk transaction monitoring, security freeze assistance, and victim assistance services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may also submit a claim for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $10,000 per class member. In addition, class members may claim a pro rata cash payment, which will be paid after all costs, expenses, claims, and credit monitoring costs have been deducted from the settlement fund. The deadline for exclusion from and objection to the settlement is October 27, 2025. All claims must be submitted by November 25, 2025, and the final fairness hearing has been scheduled for December 5, 2025. Further information is available on the settlement website: https://columbiahealthcaredatabreach.com/
