Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing privacy and data-protection risk across healthcare and consumer platforms. Epic Systems sued health information exchange implementer Health Gorilla and several provider organizations, alleging improper access to roughly 300,000 patients’ records and claiming some participants abused interoperability frameworks (including Carequality and TEFCA) to obtain and monetize sensitive health data without appropriate consent or authorization.
Separately, pharmacy services provider PharMerica agreed to a $5.2 million class-action settlement tied to a 2023 hacking incident attributed to the Money Message ransomware group, which claimed exfiltration of 4.7 TB and later leaked data affecting 5.8 million people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into xAI after Grok was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay $8.25 million to settle claims that its AdMob SDK collected data from children’s devices in “Designed for Families” apps in alleged violation of COPPA; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Epic sues Health Gorilla over alleged improper record access
On or before January 16, 2026, Epic Systems and co-plaintiffs filed a lawsuit against Health Gorilla and related entities and individuals. The complaint alleges improper access to roughly 300,000 patients' medical records through interoperability frameworks and claims the data was monetized, including for marketing to mass-tort law firms.
Court preliminarily approves PharMerica breach settlement
On January 12, 2026, the court granted preliminary approval of a settlement resolving the class action over the PharMerica data breach. The agreement includes a $5.275 million fund and commitments to spend additional millions on security and business practice improvements.
Judge allows key negligence claims in PharMerica lawsuit
In January 2024, a federal judge partially granted a motion to dismiss in the consolidated case Lurry v. PharMerica Corporation. Several claims were dismissed, but negligence claims were allowed to proceed.
PharMerica breach affects about 5.8 million individuals
The PharMerica incident exposed sensitive data including names, addresses, dates of birth, medication information, Social Security numbers, and health insurance information. Approximately 5.8 million individuals were reported affected by the breach.
Money Message claims PharMerica cyberattack and data theft
In March 2023, PharMerica suffered a cyberattack that was later claimed by the Money Message ransomware group. The group alleged it exfiltrated 4.7 TB of data and subsequently leaked files on its dark web leak site.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Mar 21, 2026
Healthcare and public-sector data breaches and breach-related litigation
Multiple organizations reported **unauthorized access and data exposure events** affecting large populations, with several incidents tied to third-party systems or business associates. The Minnesota Department of Human Services notified nearly **304,000** people after a user associated with a licensed healthcare provider accessed demographic records in the *MnChoices* system (managed by vendor **FEI Systems**) beyond what was authorized; most impacted records were demographic data, with a smaller subset including some medical information and, for some, the last four digits of SSNs. Monroe University reported a **December 2024** intrusion with data exfiltration affecting about **320,973** individuals, with exposed data potentially including SSNs, government IDs, financial account information, and health/insurance data; notification letters began in early January 2026. Separately, Mid Michigan Medical Billing Service disclosed a **March 2025** cyberattack that exposed PHI for **28,185** individuals across healthcare clients, and VillageCareMAX reported a breach involving business associate **TMG Health** (details referenced as part of a broader business-associate breach update). Other items in the set describe distinct, unrelated security stories rather than the same incident: an underground-market sale of **Raaga** user data (10.2M records, including passwords stored as **unsalted MD5 hashes**), a settlement in litigation tied to the **Veradigm** breach (over 2M patients; **$10.5M** class-action settlement), and a **ransomware** incident at **Valley Eye Associates** where a group identified as **Qilin** claimed exfiltration (139 GB) and published data. Additional references include commentary on UK government handling of an **Afghan data breach** (spreadsheet emailed outside the MoD and use of an injunction) and broader analysis of healthcare breach trends and UK ambulance-service breach reporting; these provide context but do not describe the same specific event as the Minnesota DHS or other named incidents.
Mar 21, 2026
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026