Memorial Hospital and Manor Agrees to Settle Ransomware Class Action Lawsuit
Memorial Hospital and Manor, a small rural hospital in Bainbridge, Georgia, has agreed to settle a class action lawsuit that was filed in response to a November 2024 ransomware attack and data breach. The ransomware attack was detected on November 2, 2024, when access was prevented to its EMR system, email, and website. The hospital alerted patients to the attack via its Facebook account on November 3, 2024, and issued notification letters to the affected individuals on February 7, 2025. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 120,085 individuals. Names, Social Security numbers, dates of birth, health insurance information, medical treatment information, and medical histories were compromised in the attack.
The first of several class action lawsuits was filed on February 10, 2025, by plaintiff Morgan Wade in the District Court for the Middle District of Georgia, Albany Division, and a further 9 class action lawsuits were filed by affected patients. The lawsuits were consolidated into a single complaint – Smith et al. v. The Hospital Authority of the City of Bainbridge and Decatur County d/b/a Memorial Hospital and Manor – in the State Court of Decatur County, Georgia, as the lawsuits had similar claims with overlapping classes. The consolidated lawsuit asserted several claims, including negligence for failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data stored on its network. Memorial Hospital and Manor denies any wrongdoing; however, all parties agreed to settle the lawsuit to avoid the costs and risks of a trial and related appeals.
According to the settlement agreement, the class consists of approximately 105,000 current and former patients who were notified about the data breach. Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000, and may claim up to $100 as reimbursement for lost time (max 4 hours at $25 per hour). As an alternative to submitting a claim for reimbursement of losses and lost time, class members may choose to receive a cash payment of $40. Class members are also entitled to enroll in the CyEx Medical Shield Pro medical data monitoring service for 12 months. The service includes a $1,000,000 medical identity theft insurance policy.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 20, 2026. The deadline for submitting a claim is January 5, 2026, and individuals wishing to object to or exclude themselves from the settlement must do so by December 22, 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
