General Physician Pays $2.5 Million to Settle Data Breach Litigation
General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit over a 2024 data breach.
Suspicious activity was identified within its email environment on June 12, 2024. The forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024. Patient information exposed and potentially stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information. The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total was later updated to 167,387 individuals.
Several class action lawsuits were filed in response to the data breach, which were consolidated – Newhart v. General Physician, P.C. – in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network. General Physician maintains that there was no wrongdoing and that there is no liability. All parties explored an early settlement and, following mediation, the material terms of a settlement were agreed. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for June 4, 2025.
Under the terms of the settlement, General Physician has agreed to establish a $2,500,000 settlement fund, which will be used to pay benefits to the class members after attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives have been deducted. While the OCR breach portal states that the protected health information of up to 167,387 individuals was compromised in the incident, the settlement class consists of approximately 490,210 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members are entitled to claim a two-year membership to a single-bureau credit monitoring and medical data monitoring service. In addition, they may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the pro rata cash payment will depend on the number of valid claims received. Based on the estimated response rate, the cash payments are expected to be approximately $60. The deadline for objecting to the settlement and opting out is April 27, 2026. Claims must be submitted by May 27, 2026.
