Class-action settlements tied to data exposure and privacy claims
Comcast agreed to pay $117.5M to settle a class action tied to a large-scale breach disclosed in late 2023 that potentially affected 31M+ people. Comcast attributed the intrusion to CitrixBleed (Citrix NetScaler ADC/Gateway), a vulnerability that can enable session hijacking and credential theft; researchers warned stolen session tokens could remain valid even after patching, extending attacker access. The proposed settlement (preliminarily approved) provides reimbursement for documented losses (up to $10,000 per person) and compensation for time spent responding, while Comcast denies wrongdoing.
Separately, Google agreed to pay $135M to settle Android users’ claims that devices transmitted data to Google servers over cellular networks in the background without meaningful consent, with individual payouts capped (reported up to $100) and additional injunctive relief requiring clearer disclosures and express consent during setup. Two dermatology practices also reached settlements over cybersecurity incidents exposing patient data; one New Jersey practice reported unauthorized network access spanning Dec 2023–Mar 2024 and exposure of PHI/PII (including SSNs and treatment/insurance data) affecting 373,630 individuals, offering cash benefits plus credit monitoring/identity protection while denying liability.
Related Entities
Organizations
Sources
Related Stories
Telecom providers face legal and regulatory fallout after major data breaches and service disruption
Comcast moved toward resolving litigation tied to its 2023 **Citrix Bleed**-linked breach, after a federal judge in Pennsylvania granted preliminary approval to a **$117.5M** settlement covering two dozen class actions. The incident was reported as potentially affecting **~30M** current and former customers; proposed relief includes **three years of credit/identity monitoring** plus either reimbursement of documented losses (up to **$10,000**) or a **$50** cash option, while Comcast continues to deny liability despite not opposing preliminary approval. Separately, South Korea’s **SK Telecom** rejected a government-affiliated consumer agency’s proposed compensation framework for a personal data leak, declining a plan that would pay **100,000 won (~$69.40)** per affected petitioner and potentially scale to a much larger total cost; the rejection leaves claimants to pursue individual civil suits. In a different telecom-related development not tied to a breach, the **FCC** opened a dedicated intake channel to collect customer reports as it investigates the **January 14 Verizon outage** that disrupted calling/texting for roughly **10 hours**, including impacts to **911** access; Verizon attributed the disruption to a software issue and offered customer credits.
1 months ago
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
2 months ago
Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing **privacy and data-protection risk** across healthcare and consumer platforms. Epic Systems sued health information exchange implementer **Health Gorilla** and several provider organizations, alleging improper access to roughly **300,000 patients’ records** and claiming some participants abused interoperability frameworks (including **Carequality** and **TEFCA**) to obtain and monetize sensitive health data without appropriate consent or authorization. Separately, pharmacy services provider **PharMerica** agreed to a **$5.2 million** class-action settlement tied to a **2023** hacking incident attributed to the **Money Message** ransomware group, which claimed exfiltration of **4.7 TB** and later leaked data affecting **5.8 million** people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into **xAI** after **Grok** was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay **$8.25 million** to settle claims that its **AdMob SDK** collected data from children’s devices in “Designed for Families” apps in alleged violation of **COPPA**; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
1 months ago