25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement

Physicians Primary Care of Southwest Florida was the victim of a targeted cyberattack in September 2024 that exposed patient data. The data breach sparked a class action lawsuit alleging the breach could have been prevented, as Physicians Primary Care of Southwest Florida failed to implement reasonable and appropriate security measures to prevent unauthorized access to patient data in its possession.

Physicians Primary Care of Southwest Florida is a medical facility with offices in Fort Myers, Cape Coral, Estero, and Lehigh Acres, Florida, that specializes in internal medicine, obstetrics, gynecology, family practice, and pediatrics. On or around September 17, 2024, unauthorized access to its network was identified. The hackers behind the attack had access to the network from September 15, 2024, to September 17, 2024, and potentially viewed or obtained patient data such as names, health information, and Social Security numbers. The data breach was reported to the HHS’ Office for Civil Rights as affecting 170,653 individuals.

The first lawsuit over the data breach was filed on December 3, 2024, in the Circuit Court of the Twentieth Judicial Circuit. An amended complaint was filed on March 7, 2025, in the Circuit Court for Lee County, Florida, naming two alternative plaintiffs, as the plaintiff who filed the initial complaint was determined not to be a putative class member.

The lawsuit – Cirillo et al. v. Physicians Primary Care of Southwest Florida, P.L. – asserted claims for negligence, breach of implied contract, breach of fiduciary duty, violation of the Florida Deceptive and Unfair Trade Practices Act, and declaratory judgment. Physicians Primary Care of Southwest Florida denies wrongdoing and liability and disagrees with the claims and contentions asserted by the lawsuit.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Shortly after the amended complaint was filed, the parties began exploring the possibility of an early resolution. A settlement was not agreed upon during mediation, but after several months of negotiations, terms were agreed that were acceptable to all parties. The settlement class consists of all living adults in the United States who received a notification that the data breach involved their information.

Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. There is no alternative cash payment; however, all individuals are eligible to enroll in two years of medical monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 14, 2026. Individuals wishing to object to the settlement or opt out must do so by August 30, 2026. Claims must be submitted by September 29, 2026

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist