MedStar Health Agrees to $1.35 Million Settlement to Resolve Class Action Data Breach Litigation
MedStar Health has agreed to settle class action litigation stemming from a 2023 data breach that affected more than 183,000 individuals. MedStar Health will create a $1.35 million settlement fund to cover attorneys’ fees, legal costs and expenses, and claims from class members for reimbursement of out-of-pocket expenses fairly traceable to the data breach.
MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., provides medical services through 120 entities, including 10 hospitals. Between January 25, 2023, and October 18, 2023, an unauthorized third party gained access to the email accounts of three employees and accessed or obtained the protected health information of 183,079 patients. The individuals were notified about the data breach on May 4, 2024.
Shortly after mailing notification letters, a class action lawsuit was filed by Gwendolyn Riddick individually and on behalf of similarly situated individuals. A further five class action lawsuits were filed by other MedStar Health patients. Since all six lawsuits were materially and substantively identical and had overlapping claims, they were consolidated into a single action, In re MedStar Health Data Security Incident, in the U.S. District Court for the District of Maryland. The plaintiffs alleged that MedStar Health failed to implement reasonable and appropriate safeguards to protect the sensitive data it stored on its network.
MedStar Health denies any wrongdoing and disagrees with the claims and contentions in the lawsuit; however, MedStar agreed to a settlement to avoid the cost and risk of a trial and any possible appeals. The $1,350,000 settlement fund will be used to pay attorneys’ fees up to $450,000, settlement administration costs up to $250,000, class representative awards of $2,500 for each of the six named plaintiffs, attorneys’ expenses, and medical data monitoring costs. The remainder of the settlement fund will be used to cover claims from class members, who are U.S. residents who are current or former MedStar patients or employees who were notified that their data was exposed between January 25, 2023, and October 18, 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, class members may claim one of two cash payments plus a one-year membership to a medical and healthcare data monitoring service. Class members may submit a claim for reimbursement of documented losses up to a maximum of $5,000 per class member, or they may alternatively claim a cash payment, which is estimated to be $100. The cash payments may be adjusted based on the number of valid claims received.
The deadline for objecting to and opting out of the settlement is September 14, 2025. The deadline for filing a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 4, 2025.
