Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million
A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.
Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.
The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.
After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member. Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.
