Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit
Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information.
On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, unjust enrichment, bailment, a failure to provide adequate notice pursuant to any breach notification statute or common law duty, and violations of state consumer protection laws.
While Gryphon Healthcare denies wrongdoing, fault, and liability for the cyberattack and data breach, after considering the cost and distraction of continuing the litigation and the uncertainty of trial, the decision was taken to settle. Under the terms of the settlement, Gryphon Healthcare will establish a $2,800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. After those costs have been deducted, the remainder of the fund will be used to pay benefits to the class members.
Class members may choose one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, they may choose to receive a cash payment, which is estimated to be $100, but may increase or decrease depending on the number of valid claims received. All class members who submit a valid claim are entitled to a two-year membership to an identity theft protection and medical data monitoring service, which includes a $1 million identity theft insurance policy. The deadline for objecting to the settlement and opting out is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for August 31, 2026.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Nov 4, 2024: Gryphon Healthcare Facing Multiple Lawsuits Over 400,000-Record Data Breach
Gryphon Healthcare, a Houston, TX-based provider of revenue cycle management and medical billing services to healthcare providers, is facing multiple class action lawsuits over an August 2024 data breach that involved unauthorized access to the protected health information of almost 400,000 individuals. The compromised information included names, contact information, Social Security numbers, diagnosis and treatment information, health insurance information, and medical record numbers. The intrusion occurred via an unnamed IT service provider.
At least seven lawsuits have now been filed by individuals who were recently notified about the exposure of their protected health information. The plaintiffs allege that Gryphon Healthcare failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive information it stored and also failed to monitor its network for unauthorized activity. The lawsuits assert that if appropriate defenses had been implemented and if industry standards had been adhered to, the data breach could have been prevented. Proper monitoring would have allowed the intrusion to be detected much more promptly.
The lawsuits make similar claims, including a violation of duties under common law, contract law, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission (FTC) Act. The plaintiffs allege that the theft of their personal and protected health information has resulted in them suffering and continuing to suffer injuries, including financial harm due to the misuse of their information, lost time due to the detection and prevention of identity theft and fraud, and the loss or diminished value of their private information.
The plaintiffs make claims of negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment. The lawsuits were filed in Texas federal court and seek class action certification for a nationwide class of individuals affected by the data breach, a jury trial, actual, compensatory, statutory, and punitive damages, and injunctive relief, including an order from the court requiring Gryphon Healthcare to implement a host of security measures to safeguard the personal and protected health information stored by the company.
