25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack

A settlement has been agreed to resolve a class action lawsuit against the Pinehurst, North Carolina-based molecular, cytology, and pathology service provider Marlboro-Chesterfield Pathology, P.C. The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.

Unauthorized network access was identified on January 16, 2025, and the forensic investigation confirmed that 235,911 individuals had their data compromised in the attack, including their names, dates of birth, Social Security numbers, and protected health information. The affected individuals were notified about the incident on or around May 7, 2025.

A class action lawsuit – Cox v. Marlboro-Chesterfield Pathology, P.C – was filed in the County of Moor Superior Court by plaintiff Cox, individually and on behalf of similarly affected individuals. Plaintiff Cox alleged that her personal and protected health information was in the hands of cybercriminals as a result of the attack, and that the ransomware attack occurred as a result of the failure of Marlboro-Chesterfield Pathology to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network.

Marlboro-Chesterfield Pathology maintains there was no wrongdoing and disagrees with the claims and contentions in the lawsuit, including claims of fault and liability, and plaintiff Cox believes her claims are valid. After arms-length negotiations, and after the parties considered the costs and risks associated with continuing with the litigation, they entered into settlement discussions, and the material terms of a settlement were agreed on November 21, 2025.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notice costs, and a service award for the class representative. Attorneys’ fees and costs have been capped at $100,000.

Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. Individuals who had their Social Security numbers compromised in the incident may submit a claim for an alternative cash payment of $10, should they choose not to submit a claim for reimbursement of losses.

All individuals, regardless of whether they submit a claim for reimbursement of losses or the cash payment, are entitled to a one-year membership to a credit monitoring and identity theft protection service, which includes a $1 million identity theft insurance policy. The deadline for objection, opting out, and submitting a claim is August 21, 2026. The final fairness hearing has been scheduled for October 12, 2026.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist