25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation

A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.

Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.  The affected individuals were notified about the data breach in  January 2025, 15 months after the breach occurred.

A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.

After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.

The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist