Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. Kaiser Permanente agreed to a $46 million settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including Google, Microsoft Bing, Twitter/X, and Adobe) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans 2017–2024.
Separately, two healthcare entities reached settlements following network intrusions that allegedly exposed protected health information and other sensitive identifiers. Mystic Valley Elder Services agreed to pay $520,000 to settle claims stemming from an April 2024 incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting ~89,600 people; plaintiffs also alleged delayed detection and notification. Consulting Radiologists Ltd. received approval for a $2.2 million settlement after a 2024 intrusion affecting up to 583,824 individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Sources
Related Stories
Healthcare Provider Email and Network Intrusions Expose Patient Data
**General Physician, P.C.** agreed to pay **$2.5 million** to settle consolidated class-action litigation tied to a **2024 email-environment compromise** that exposed sensitive patient data. The organization detected suspicious activity on **June 12, 2024**, and a forensic investigation found an unauthorized party had accessed its email system from **April 6 to June 12, 2024**. Potentially exposed data included **SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information**; the affected population was later updated to **167,387 individuals** (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing. Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. **Valley Radiology Consultants Medical Group** identified a breach on **September 15, 2025**, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on **February 18, 2026**; it also offered **12 months of credit monitoring** and reported taking remediation steps (e.g., password changes and security enhancements). **Nephrology Associates Medical Group** separately began notifying patients about a cyberattack first identified on **May 20, 2025** (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
1 weeks agoKaiser Permanente Settlement Over Web Tracker Data Breach
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action lawsuits alleging that the healthcare provider's use of web tracking codes on its websites, patient portals, and mobile apps resulted in the unauthorized sharing of sensitive patient information with third-party technology companies, including Google, Microsoft, and X (formerly Twitter). The lawsuits claimed that these embedded trackers violated federal and state laws by disclosing protected health information to external entities without patient consent, leading to a significant HIPAA breach. The incident, reported to federal regulators in April 2024, affected approximately 13.4 million individuals and was the second largest health data breach reported to the U.S. Department of Health and Human Services that year. The settlement addresses allegations that Kaiser Permanente's practices compromised the privacy and security of patient data, highlighting ongoing concerns about the use of third-party tracking technologies in healthcare digital platforms.
3 months ago
Healthcare Data Breach Disclosures and Litigation Affecting Hundreds of Thousands of Patients
**Bell Ambulance** reported that a February 2025 network intrusion led to the compromise of protected health information for **237,830 individuals**, after unauthorized activity was detected on **Feb. 13, 2025**. The organization said the exposed data can include **names, dates of birth, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information**; it offered **12–24 months** of credit monitoring/identity protection and stated it was not aware of misuse at the time of notification. The incident response included third-party forensic support, and notifications were issued in phases as the data review progressed, with additional letters sent into March 2026. Separately, **Cornerstone Specialty Hospitals** agreed to pay **$2.35 million** to settle a class action lawsuit tied to a data breach that reportedly affected **nearly 500,000 individuals**. The available reporting focuses on the settlement amount and impacted population size, indicating ongoing legal and financial consequences for large-scale healthcare data exposure even when technical details of the underlying intrusion are not publicly described in the same source.
5 days ago