Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. Kaiser Permanente agreed to a $46 million settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including Google, Microsoft Bing, Twitter/X, and Adobe) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans 2017–2024.
Separately, two healthcare entities reached settlements following network intrusions that allegedly exposed protected health information and other sensitive identifiers. Mystic Valley Elder Services agreed to pay $520,000 to settle claims stemming from an April 2024 incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting ~89,600 people; plaintiffs also alleged delayed detection and notification. Consulting Radiologists Ltd. received approval for a $2.2 million settlement after a 2024 intrusion affecting up to 583,824 individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Kaiser agrees to $46 million patient data privacy settlement
Kaiser Permanente agreed to a $46 million settlement to resolve litigation alleging patient-related website data was improperly shared with third parties via tracking technologies. Kaiser denied wrongdoing, said it removed certain technologies out of caution, and settled to avoid prolonged litigation.
Mystic Valley Elder Services agrees to $520,000 settlement
Mystic Valley Elder Services agreed to a $520,000 mediated settlement to resolve consolidated class action litigation over its April 2024 breach. The deal includes estimated cash payments of about $75 per class member, reimbursement of documented losses up to $5,000, and two years of credit monitoring and identity theft protection.
Consulting Radiologists reaches court-approved $2.2 million settlement
A court-approved $2.2 million settlement resolved consolidated class action litigation over the Consulting Radiologists data breach. The settlement offers reimbursement for documented losses up to $5,000, two years of single-bureau credit monitoring, and cash payments expected to be about $125 for Social Security number-impacted individuals and $50 for others.
Court allows key claims in Consulting Radiologists case to proceed
After partially dismissing some claims in the Consulting Radiologists litigation, the court allowed core claims to continue, including negligence and claims under the Minnesota Consumer Fraud Act and Health Records Act. This kept the main breach-related allegations alive ahead of settlement.
Mystic Valley class action complaints are consolidated
Five class action complaints arising from the Mystic Valley Elder Services breach were consolidated in Middlesex County Superior Court, Massachusetts, under the case In re Mystic Valley Elder Services Inc. The consolidated suit alleged inadequate cybersecurity, delayed detection, and untimely notification.
Consulting Radiologists reports breach to HHS OCR
Consulting Radiologists reported its data breach to the HHS Office for Civil Rights, stating that up to 583,824 individuals may have been affected. The filing made the healthcare incident publicly reportable at the federal level.
Mystic Valley Elder Services suffers network intrusion
Mystic Valley Elder Services experienced a network intrusion and data breach on April 5, 2024. The incident potentially exposed sensitive personal and health information of more than 89,600 individuals.
Consulting Radiologists detects unauthorized network intrusion
Consulting Radiologists identified an unauthorized intrusion into its network on February 12, 2024. Investigators later determined the intruder may have accessed patient data, including names, addresses, dates of birth, medical and insurance information, and Social Security numbers for 19,346 individuals.
Kaiser allegedly shared patient website data with third parties
Between 2017 and 2024, Kaiser Permanente allegedly transmitted data from certain patient-facing websites to third parties including Google, Microsoft Bing, Twitter/X, and Adobe through web tracking technologies. The allegations concerned online platform interactions rather than Kaiser’s internal medical record systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Kaiser to Pay $46M in Patient Data Lawsuit. Find Out If You’re Eligible
techrepublic.com
Open sourceMystic Valley Elder Services Agrees to Settle Class Action Data Breach Lawsuit for $520,000
hipaajournal.com
Open sourceConsulting Radiologists Pays $2.2M to Settle Class Action Data Breach Litigation
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Provider Email and Network Intrusions Expose Patient Data
**General Physician, P.C.** agreed to pay **$2.5 million** to settle consolidated class-action litigation tied to a **2024 email-environment compromise** that exposed sensitive patient data. The organization detected suspicious activity on **June 12, 2024**, and a forensic investigation found an unauthorized party had accessed its email system from **April 6 to June 12, 2024**. Potentially exposed data included **SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information**; the affected population was later updated to **167,387 individuals** (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing. Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. **Valley Radiology Consultants Medical Group** identified a breach on **September 15, 2025**, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on **February 18, 2026**; it also offered **12 months of credit monitoring** and reported taking remediation steps (e.g., password changes and security enhancements). **Nephrology Associates Medical Group** separately began notifying patients about a cyberattack first identified on **May 20, 2025** (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Mar 21, 2026
Kaiser Permanente Settlement Over Web Tracker Data Breach
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action lawsuits alleging that the healthcare provider's use of web tracking codes on its websites, patient portals, and mobile apps resulted in the unauthorized sharing of sensitive patient information with third-party technology companies, including Google, Microsoft, and X (formerly Twitter). The lawsuits claimed that these embedded trackers violated federal and state laws by disclosing protected health information to external entities without patient consent, leading to a significant HIPAA breach. The incident, reported to federal regulators in April 2024, affected approximately 13.4 million individuals and was the second largest health data breach reported to the U.S. Department of Health and Human Services that year. The settlement addresses allegations that Kaiser Permanente's practices compromised the privacy and security of patient data, highlighting ongoing concerns about the use of third-party tracking technologies in healthcare digital platforms.
Mar 21, 2026
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
Mar 21, 2026