Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M
Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals.
IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class.
The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. A further seven lawsuits were filed by other plaintiffs, which were consolidated into a single complaint because the lawsuits had overlapping claims. The consolidated class action lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
The defendant denied and continues to deny all claims and contentions in the lawsuit, including all claims of fault, wrongdoing, and liability. Following mediation, the material terms of a settlement were agreed upon to bring the litigation to an end and avoid the costs and distraction of protracted litigation and the uncertainty of a trial. The settlement has now been finalized and granted preliminary approval from the court. The final fairness hearing has been scheduled for July 1, 2026.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendant has agreed to establish a $4 million settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards from the class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members. Class members are entitled to two years of medical data monitoring, reimbursement of out-of-pocket losses due to the data breach, and a pro rata cash payment. Class members may claim reimbursement of up to $5,000 in documented, unreimbursed losses and the cash payments are estimated to be $50 per class member, although the cash payments may be higher or lower depending on the number of claims received. The deadline for submitting a claim is July 1, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 1, 2026.
