Four Healthcare Providers Settle Class Action Lawsuits Over Data Breaches
Settlements have been agreed to resolve class action lawsuits over healthcare data breaches experienced by Alabama Cardiovascular Group, Carolina Arthritis Associates, Rocky Mountain Gastroenterology Associates, and Regional Obstetrical Consultants.
Alabama Cardiovascular Group Data Breach Settlement
Alabama Cardiovascular Group has settled a class-action data breach lawsuit arising from a data security incident detected on July 2, 2024. The investigation confirmed that an unauthorized third party accessed its network between June 6, 2024, and July 2, 2024, and exfiltrated files containing patient and employee information. Data compromised in the incident included names, contact information, Social Security numbers, health insurance information, and medical information. The data breach affected 280,534 individuals.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Tammy Brown et al., v. Alabama Cardiology Group P.C. d/b/a Alabama Cardiovascular Group – in the Circuit Court for Jefferson County, Alabama. The consolidated lawsuit asserts claims of negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Alabama Cardiovascular Group denies all claims of liability and wrongdoing, and disagrees that the data breach caused any harm to the affected patients and employees; however, to avoid the cost of protracted litigation and the uncertainty of trial and related appeals, the decision was taken to settle the lawsuit.
Under the terms of the settlement, Alabama Cardiovascular Group has agreed to establish a $2,225,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class representatives, and benefits for the class members. Class members are entitled to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid from the residual funds after costs and expenses have been deducted and claims have been paid. Regardless of the cash payment chosen, class members are entitled to two years of credit monitoring services. The deadline for exclusion and opting out is February 4, 2026. Claims must be submitted by March 6, 2026, and the final approval hearing has been scheduled for March 20, 2026.
Carolina Arthritis Associates Data Breach Settlement
Carolina Arthritis Associates has agreed to settle a consolidated class action lawsuit over a September 2024 data breach. The Carolina Arthritis Associates data breach was identified on September 27, 2024, and the investigation determined that files containing patient data may have been exfiltrated from its network between September 26, 2024, and September 30, 2024.
The file review confirmed that names, birth dates, treatment/procedure information, medical record numbers, provider names, and Social Security numbers may have been stolen. Up to 36,961 individuals were affected by the data breach. Multiple class action lawsuits were filed in response to the data breach, alleging that Carolina Arthritis Associates failed to implement reasonable and appropriate security measures to protect sensitive data on its network. The lawsuits were consolidated – In re Carolina Arthritis Associates Data Incident Litigation – in the General Court of Justice, Superior Court Division for New Hanover County, North Carolina. Carolina Arthritis Associates denies all claims of wrongdoing and liability but agreed to settle the litigation to avoid the cost and time of protected litigation and the uncertainty of trial.
Carolina Arthritis Associates has agreed to establish a $600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. After those costs have been paid, the remainder of the settlement fund will be used to pay benefits to the class members. Class counsel and the class representatives believe the settlement is fair, and the settlement has received preliminary approval from the court.
Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a pro rata cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased based on the number of claims received. In addition, credit monitoring and identity theft protection services have been offered to the affected individuals for two years. The deadline for objection and opting out of the settlement is February 6, 2026. The deadline for submitting a claim is February 23, 2026. The final fairness hearing has been scheduled for March 10, 2026.
Regional Obstetrical Consultants Data Breach Settlement
Regional Obstetrical Consultants has settled a class action lawsuit over a May 2024 data breach affecting 25,787 current and former patients. An unauthorized third party gained access to its network on or around May 6, 2024, and potentially obtained names, dates of birth, addresses, phone numbers, medical record numbers, insurance ID numbers, diagnoses, medical histories, and procedure information. The affected individuals were notified on January 22, 2025.
Three class action lawsuits were filed against Regional Obstetrical Consultants over the data breach. The lawsuits had overlapping claims, and were consolidated into a single action – Heidi Davis et al. v. Regional Obstetrical Consultants, P.C. – in the Chancery Court of Hamilton County, Tennessee. The consolidated lawsuit alleged the data breach occurred as a result of the failure to implement reasonable and appropriate security measures, and asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty.
Regional Obstetrical Consultants deny all claims of wrongdoing and liability; however, to avoid the cost, time, and distraction of prolonged litigation and the uncertainty of trial, the decision was taken to settle the litigation. Under the terms of the settlement, class members may submit a claim for one of three benefits. A claim may be submitted for reimbursement of documented, unreimbursed, extraordinary losses up to a maximum of $7,500 per class member. Alternatively, a claim may be submitted for reimbursement of documented ordinary losses up to a maximum of $2,000 per class member, or a pro rata cash payment may be claimed, which is estimated to be $50 per class member, but may be higher or lower based on the number of claims received. The deadline for exclusion and objection is January 31, 2026. The deadline for submitting a claim is February 15, 2026. The final fairness hearing has been scheduled for March 2, 2026.
Rocky Mountain Gastroenterology Associates Data Breach Settlement
Rocky Mountain Gastroenterology Associates has agreed to settle class action litigation over a data breach that was identified on September 13, 2024, involving unauthorized access to the electronic protected health information of 366,491 patients. Data compromised in the incident included names, addresses, dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance identification numbers, and health information such as diagnoses and treatment information.
Notification letters started to be mailed to the affected individuals on November 13, 2024, and the first class action lawsuit was filed on December 19, 2024, by plaintiff David Davis. Further lawsuits were filed by other affected individuals. The lawsuits were consolidated – David Davis et al. v. Rocky Mountain Gastroenterology Associates PLLC – in the Colorado District Court for Jefferson County, as the lawsuits had overlapping claims. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and for declaratory judgment. Rocky Mountain Gastroenterology Associates denies all claims of wrongdoing and liability.
Shortly after the consolidated class action lawsuit was filed, all parties began to explore the possibility of early resolution, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and approved by the court. Under the terms of the settlement, class members are entitled to two years of complimentary credit monitoring and identity theft protection services, retailing at $14.95 per month. In addition, class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach. The reimbursement claims have been capped at $1,000 per class member. The deadline for submitting a claim is February 2, 2026.
