HCA Healthcare Inc. decided to resolve a class action lawsuit associated with a data breach in July 2023 that was reported to OCR as impacting 11,270,000 individuals. The impacted patients got medical care at HCA hospitals and physicians’ clinics in 20 U.S. states.
Hackers targeted HCA Healthcare and stole a database after accessing an external storage location used for automating email formatting. The stolen database contained 27.7 million files, including names, contact data, birth dates, and appointment data. The hackers posted a sale of the stolen database after not receiving a ransom payment.
HIPAA-covered HCA Healthcare reported the data breach to OCR on or about July 10, 2024. After a couple of days, the first class action lawsuit against HCA Healthcare was filed. Because of the data breach, HCA Healthcare is facing a total of 27 putative class action lawsuits, which claim negligence for insufficient cybersecurity measures and for not properly securing patient data. The consolidated lawsuit, In re HCA Healthcare, Inc. Data Security Litigation, is filed in the U.S. District Court for the Middle District of Tennessee.
The response of HCA Healthcare to the lawsuit is a denial of all claims and contentions; nevertheless, it agreed to settle the litigation without admitting liability or wrongdoing. Although the total settlement amount is not announced, the plaintiffs’ lawyers may claim approximately $3.1 million in fees. Lawyers generally get a third of the settlement amount, which implies the settlement fund is over $9 million. Fifteen class representatives will each get a service award of around $5,000 each.
Class members’ claims will be paid after deducting the attorneys’ fees, legal costs, settlement management fees, and service awards from the settlement fund. Class members could get fraud consultation, identity theft restoration, and credit monitoring service for one year, including an identity theft insurance policy worth $1 million. Each class member could likewise file a claim for compensation of documented, unreimbursed expenses reasonably linked to the data breach up to $5,000. HCA Healthcare additionally stated that it will follow, implement, and maintain security requirements for two years to avoid similar incidents.
The last day to file an objection to or exemption from the settlement is August 25, 2025. Claims should be filed on or before September 25, 2025. The schedule of the final fairness hearing is October 27, 2025.