X Close Search

How can we assist?

Demo Request

Healthcare Providers Settle Data Breach Lawsuits

Post Summary

Three healthcare providers have reached settlements to resolve class action lawsuits stemming from data breaches that exposed sensitive patient information. Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood each faced legal challenges after cyberattacks compromised the data of tens of thousands of patients. Here are the details of the settlements.

Hypertension Nephrology Associates: $625,000 Settlement

Hypertension Nephrology Associates

Hypertension Nephrology Associates (HNA), based in Willow Grove, Pennsylvania, agreed to a $625,000 settlement after a ransomware attack in January 2024 exposed the personal and protected health information of 39,491 patients. Unauthorized network access was detected on February 6, 2024, when a ransom note was discovered, and affected patients were notified on May 17, 2024.

The lawsuit, Kidwell v. Hypertension Nephrology Associates, P.C., filed in the Court of Common Pleas of Montgomery County, Pennsylvania, alleged that HNA failed to implement reasonable security measures in violation of the HIPAA Security Rule. It also claimed the healthcare provider delayed notifying affected individuals, violating the HIPAA Breach Notification Rule. The suit asserted claims including negligence, breach of implied contract, unjust enrichment, and invasion of privacy.

HNA denied all allegations of wrongdoing, but following mediation, both parties agreed to settle the matter. The settlement establishes a $625,000 fund to cover attorneys’ fees, settlement administration costs, and compensation for class members. Patients may submit claims for reimbursement of up to $5,000 for documented losses or opt for a one-time cash payment, with the exact amount determined by the number of valid claims. Additionally, all class members are eligible for two years of credit monitoring and insurance services. Claims must be filed by January 20, 2026, with a final fairness hearing scheduled for February 18, 2026.

Asheville Arthritis and Osteoporosis Center: $500,000 Settlement

Asheville Arthritis and Osteoporosis Center

In North Carolina, Asheville Arthritis and Osteoporosis Center agreed to a $500,000 settlement after a May 2024 cyberattack exposed the personal information of 58,251 patients. The breach involved unauthorized access to sensitive data, including names, addresses, Social Security numbers, medical records, and health insurance information.

The lawsuit, Stiwinter et al. v. Asheville Arthritis and Osteoporosis Center, was filed in the Superior Court of Buncombe County and later transferred to the North Carolina Business Court. Plaintiffs alleged negligence, breach of fiduciary duty, and unjust enrichment, among other claims. While the Center denied any wrongdoing, it chose to settle to avoid the costs and risks of litigation.

The settlement fund will cover legal fees, administrative costs, and compensation for affected individuals. Patients can claim up to $5,000 for documented losses or opt for a pro rata cash payment, estimated at $100, depending on the number of claims. The deadline for submitting claims or objections is January 26, 2026, with a final fairness hearing set for February 9, 2026.

Intermountain Planned Parenthood: Settlement Finalized

Intermountain Planned Parenthood, operating as Planned Parenthood of Montana, finalized a settlement to resolve lawsuits following an August 2024 data breach that affected 56,917 patients. The breach involved unauthorized access to patient data, including names, medical records, and insurance information.

The lawsuits, consolidated into Nicole Downey & Sarah Suzanne Sullivan v. Intermountain Planned Parenthood, Inc. d/b/a Planned Parenthood of Montana, alleged negligence, breach of implied contract, and invasion of privacy. Intermountain Planned Parenthood disputed all claims but agreed to settle to avoid the uncertainties of trial.

Patients may claim up to $5,000 for documented out-of-pocket losses and $80 for lost time (up to 4 hours at $20 per hour). The settlement also includes a two-year membership to a medical data monitoring service with a $1 million medical theft insurance policy. The deadline to submit claims was January 12, 2026.

Looking Ahead

These settlements highlight the growing risks healthcare providers face from cyberattacks and the significant costs of resolving data breaches. As these cases conclude, affected patients are now eligible to seek compensation for their losses and access monitoring services to protect their identities moving forward.

Read the source

Key Points:

Recent Perspectives

Building a Healthcare TPRM Team: Roles, Responsibilities, and Success Metrics
Aultman Health System Reports Data Breach Impacting Patient Information Including Social Security Numbers
Watson Clinic settles data breach case with $10M payout to affected patients
How to Build Resilience in Healthcare Cybersecurity
OpenAI Launches Recruitment for Critical AI Oversight Role
Universe Pharmaceuticals Sees Market Turnaround with 26.95% Stock Surge
Watson Clinic Data Breach: Patients May Claim up to $75,000 Following Dark Web Exposure
New York Allocates $300M for Hospital Cybersecurity and IT Improvements
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Third Party Risk
Enterprise Risk
Provider Solutions
Vendor Solutions
About
Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land