Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing privacy and data-protection risk across healthcare and consumer platforms. Epic Systems sued health information exchange implementer Health Gorilla and several provider organizations, alleging improper access to roughly 300,000 patients’ records and claiming some participants abused interoperability frameworks (including Carequality and TEFCA) to obtain and monetize sensitive health data without appropriate consent or authorization.
Separately, pharmacy services provider PharMerica agreed to a $5.2 million class-action settlement tied to a 2023 hacking incident attributed to the Money Message ransomware group, which claimed exfiltration of 4.7 TB and later leaked data affecting 5.8 million people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into xAI after Grok was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay $8.25 million to settle claims that its AdMob SDK collected data from children’s devices in “Designed for Families” apps in alleged violation of COPPA; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
Related Entities
Threat Actors
Sources
Related Stories
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
2 months ago
Healthcare and public-sector data breaches and breach-related litigation
Multiple organizations reported **unauthorized access and data exposure events** affecting large populations, with several incidents tied to third-party systems or business associates. The Minnesota Department of Human Services notified nearly **304,000** people after a user associated with a licensed healthcare provider accessed demographic records in the *MnChoices* system (managed by vendor **FEI Systems**) beyond what was authorized; most impacted records were demographic data, with a smaller subset including some medical information and, for some, the last four digits of SSNs. Monroe University reported a **December 2024** intrusion with data exfiltration affecting about **320,973** individuals, with exposed data potentially including SSNs, government IDs, financial account information, and health/insurance data; notification letters began in early January 2026. Separately, Mid Michigan Medical Billing Service disclosed a **March 2025** cyberattack that exposed PHI for **28,185** individuals across healthcare clients, and VillageCareMAX reported a breach involving business associate **TMG Health** (details referenced as part of a broader business-associate breach update). Other items in the set describe distinct, unrelated security stories rather than the same incident: an underground-market sale of **Raaga** user data (10.2M records, including passwords stored as **unsalted MD5 hashes**), a settlement in litigation tied to the **Veradigm** breach (over 2M patients; **$10.5M** class-action settlement), and a **ransomware** incident at **Valley Eye Associates** where a group identified as **Qilin** claimed exfiltration (139 GB) and published data. Additional references include commentary on UK government handling of an **Afghan data breach** (spreadsheet emailed outside the MoD and use of an injunction) and broader analysis of healthcare breach trends and UK ambulance-service breach reporting; these provide context but do not describe the same specific event as the Minnesota DHS or other named incidents.
1 months ago
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Today