$3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists

Posted by Steve Alder

Mt. Baker Imaging and Northwest Radiologists have agreed to pay $3,300,000 to settle a consolidated class action lawsuit stemming from a January 2025 ransomware attack and data breach affecting hundreds of thousands of patients.

Mt. Baker Imaging is a Washington-based medical imaging provider that uses Northwest Radiologists for interpreting medical images. In January 2025, a cyberattack was identified, and the forensic investigation determined that an unauthorized third party accessed its network between January 20, 2025, and January 25, 2025, and obtained files containing names, contact information, dates of birth, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, and health insurance information. The data breach was reported to the Washington Attorney General as affecting 348,118 state residents, and the HHS’ Office for Civil Rights was informed that the protected health information of up to 362,713 individuals was compromised in the incident.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated in a single complaint – In re: Mt. Baker Imaging, LLC, Data Security Litigation – in the Superior Court of the State of Washington for Whatcom County. The lawsuit alleged that the defendants failed to implement and maintain necessary data security safeguards, and asserted claims for negligence, breach of implied contract, invasion of privacy-intrusion upon seclusion, unjust enrichment, and violations of the Uniform Health Care Information Act, Washington Consumer Protection Act, Washington Data Breach Notification Disclosure Law, and Washington My Health My Data Act.

The defendants and the plaintiffs disagree about the legal claims made in the litigation; however, all parties agreed that a settlement was the best outcome, due to the benefits provided to the class members and the avoidance of the costs, risks, and uncertainty of continuing with the litigation. The defendants have agreed to establish a $3,300,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the nine class representatives. The remainder of the settlement fund will be used to pay benefits to approximately 340,184 class members.

All class members are entitled to claim a two-year membership to a medical identity theft protection and monitoring service, and may submit claims for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and claim a pro rata cash payment. The pro rata cash payments will distribute the net amount of the settlement fund after costs, expenses, claims, and medical identity theft protection and monitoring costs have been paid.

The deadline for objection and exclusion is July 20, 2026, and claims must be submitted by August 19, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 21, 2026.

The post $3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists appeared first on The HIPAA Journal.

Singing River Health System: 54K Individuals Affected by December Cyberattack

Posted by Steve Alder

Singing River Health System in Mississippi has issued an update on a cybersecurity incident that was first announced in December 2025, shortly after the attack was detected. In the updated breach notice, Singing River Health System explained that its investigation revealed an unauthorized third party had access to certain computer systems between December 19, 2025, and December 21, 2025. On February 10, 2026, Singing River Health System confirmed that the unauthorized individual had access to files containing patient information.

The file review has recently concluded and revealed that the exposed data included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, diagnostic/treatment information, medication information, dates of service, bank account information, health insurance information, provider names, and internal patient identification numbers.

Singing River Health System said it will continue to implement and evaluate enhanced safeguards and security measures to further protect its systems. The affected individuals have been advised to review the statements they receive from their healthcare providers and insurers for any services that have not been received. The incident has recently been reported to the HHS’ Office for Civil Rights as affecting 53,888 individuals.

Adams County Memorial Hospital

Adams County Memorial Hospital has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 5,305 individuals. The data was exposed as a result of an employee responding to a phishing email, which allowed an unauthorized third party to gain access to the employee’s email account on December 22, 2026. The breach was confined to the email account. The electronic medical record system was not affected. The investigation confirmed that the account contained personal and protected health information such as names, addresses, dates of birth, Social Security numbers, dates of service, diagnoses, charges, and health insurance information.

In response to the incident, additional security protocols have been implemented to protect against future phishing incidents, and additional education has been provided to employees on phishing and malicious email identification. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Central Kansas Mental Health Center

Central Kansas Mental Health Center in Salina, KS, has experienced a cybersecurity incident that exposed patient data. The incident was first identified on September 26, 2025, when suspicious activity was observed within its computer network. Immediate action was taken to contain the incident, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that an unauthorized third party accessed its network and likely exfiltrated files containing patient data. The files are being reviewed to determine the types of data involved and the individuals affected. Central Kansas Mental Health Center first announced the data breach via its website in November 2025, confirming that credit monitoring and identity theft protection services are being made available.  Central Kansas Mental Health Center has not identified any misuse of the exposed data to date. The incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Singing River Health System: 54K Individuals Affected by December Cyberattack appeared first on The HIPAA Journal.

Parents Sue Minnesota Hospital to Enforce HIPAA Right of Access for Minor Child’s Medical Records

Posted by Steve Alder

The parents of a 15-year-old child have filed a lawsuit against a Minnesota hospital for failing to provide them with full access to their minor child’s medical records. Under federal law – The HIPAA Privacy Rule – parents have the right to obtain a copy of the medical records of their minor children in the form and format requested. While there are exceptions to the HIPAA Right of Access concerning parental access to the medical records of minor children, none apply in this case.

The daughter of Shaun and Katherine Johnson was diagnosed with a rare chromosomal condition called mosaic Turner syndrome when she was aged 11. The condition requires lifelong heart monitoring due to elevated cardiovascular risks, and the parents require real-time access to their child’s medical records to help them effectively manage her care.

The parents lost access to their daughter’s medical records when she turned 12, when Fairview Health Services applied its policy of shutting off parental access to children’s MyChart medical records. Under the hospital’s policy, which is based on an interpretation of state law, access can only be continued if hospital staff conduct a private interview with the child, and the child and staff agree to restore full MyChart access to the child’s parents.  The parents declined to sign the consent form and have therefore been refused access to their child’s medical records through MyChart.

The parents submitted a request for access to their minor child’s records via an Authorization for Release of Protected Health Information, and were provided with a copy of some of their daughter’s records; however, the request took three weeks to process, and the copy lacked important details required for the management of the child’s care. For instance, medical images can only be provided in electronic form via the MyChart portal.

“When your child is diagnosed with a serious condition, every appointment, test result, and next step matters,” said father Shaun Johnson. “Instead of allowing us to manage her care through the normal MyChart system, Fairview forced us into a delayed, inadequate, and burdensome workaround.”

The Center for Individual Rights (CIR), a Washington D.C.-based non-profit, public interest law firm dedicated to defending individual liberties, filed a complaint with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), alleging the refusal to provide parents with access to the MyChart portal for their minor children over 12 years of age was a violation of the HIPAA Privacy Rule.

OCR responded, confirming in a letter to the Privacy Officer of Fairview Health Services and CIR that parents are permitted access to their minor child’s medical records under HIPAA. OCR recommended filing a second complaint if the matter was not resolved, which CIR did six weeks later when the parents’ access had not been restored. The second complaint is still pending with OCR. OCR subsequently issued a “Dear Colleague” letter to the medical community confirming that, under HIPAA, and absent special circumstances, healthcare providers may not place additional limitations on parental access to their minor children’s medical records. In this case, the special circumstances do not apply.

Under Minnesota law, children have the right to decide who has access to their medical records related to pregnancy, sexually transmitted diseases, physical and sexual abuse, and substance abuse diagnosis and treatment. Fairview Health Services allows parents or legal guardians to have partial proxy access, excluding those areas, for minor children aged 12-17 years of age. Full proxy access is only granted with the child’s consent. Since the parents object to an intrusive, unsupervised interview with their daughter, they are prevented from having timely and complete access to their daughter’s medical records to the extent required to engage effectively in her care.

The lawsuit alleges federal law preempts state law and that Fairview Health’s policy is inconsistent with Minnesota law. The lawsuit seeks a declaratory judgment and permanent injunction ordering that the Minnesota Health Records Act requires providing the parents with unrestricted access to their daughter’s medical records. “A hospital cannot apply state law to lock parents out of their own child’s medical records,” said CIR Litigation Director Caleb Kruckenberg. “Federal law is supreme. Our federalist system is built to better protect individual rights—in this case, the parental right to supervise and participate in a minor child’s medical care.”

The post Parents Sue Minnesota Hospital to Enforce HIPAA Right of Access for Minor Child’s Medical Records appeared first on The HIPAA Journal.

Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit

Posted by Steve Alder

FMC Services, LLC, which does business as Family Medicine Centers in Texas, has agreed to a $2,150,000 settlement to resolve claims related to a July 2022 data breach. Amarillo, TX-based Family Medicine Centers is a network of four primary care clinics in Amarillo and Canyon, and urgent care clinics operating under the name of CareXpress.

On or around July 26, 2022, a data security incident was identified. Unauthorized individuals accessed its network systems, which contained personally identifiable information (PII) and protected health information (PHI) such as names, mailing addresses, birth dates, and Social Security numbers, and health information. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. According to the lawsuit, notification letters were sent to 266,540 individuals.

Multiple lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit alleged that the defendant had implemented inadequate data security measures, resulting in an intrusion and the theft of sensitive data. The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment, and sought declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.

Family Medicine Centers denied and continues to deny all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability. In mid-2024, the parties began discussing the prospect of a settlement to bring the litigation to an end. A mediation session was scheduled but ended without a settlement being reached. Following extensive discovery and litigation, and a failed defendant’s Motion for Summary Judgment, the parties agreed to a second attempt at mediation, and the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court. The final fairness hearing has been scheduled for September 15, 2026. The defendant has agreed to establish a $2,150,000 settlement fund, which will be used to pay benefits to the class members, once attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives have been deducted.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. If a claim for reimbursement of losses is not submitted, class members may instead file a claim for an alternative cash payment, which is estimated to be $75 per class member, although the amount depends on the remaining funds once the reimbursement claims have been paid.

In addition to one of the cash payments, a claim may be submitted for a two-year membership to a medical data monitoring service. Class members wishing to object to or exclude themselves from the settlement must do so by August 17, 2026. Claims must be submitted by August 31, 2026.

The post Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit appeared first on The HIPAA Journal.

Patient Data Exposed in Cyberattacks on Dental Practices

Posted by Steve Alder

Data breaches have been announced by Bridle Trails Family Dentistry, Verber Dental Group, and Bronsky Orthodontics. Across the three incidents, the protected health information of more than 32,700 individuals was exposed and potentially stolen.

Bridle Trails Family Dentistry

Bridle Trails Family Dentistry, a dental practice in Kirkland, Washington, has notified 20,976 current and former patients about a cybersecurity incident that occurred in the Fall of 2024 that exposed some of their personal and protected health information. According to the April 10, 2026, breach notification letters, an investigation was launched into a potential breach of its email environment, which confirmed that an employee’s email account was accessed by an unauthorized individual between November 19, 2024, and November 25, 2024. The account was reviewed, and Bridle Trails Family Dentistry learned on March 12, 2026, that the account contained a limited amount of personal and health information.

Data potentially compromised in the incident included full names, birth dates, Social Security numbers, reason for visit, medical provider name, clinical/treatment information, driver’s license numbers, taxpayer ID numbers, medical record numbers, and health insurance information. The impacted information varied from individual to individual. At the time of issuing notifications, Bridle Trails Family Dentistry was unaware of any misuse of data as a direct result of the incident. Bridle Trails Family Dentistry said it has taken many precautions to safeguard the personal and protected health information in its possession and continually evaluates and modifies its practices and internal controls.

Verber Dental Group

Verber Dental Group PC, a Camp Hill, Pennsylvania-based network of 14 dental practices, has announced a breach of the protected health information of up to 8,598 individuals. Suspicious activity was identified within its network environment on January 27, 2026. Immediate action was taken to ensure its network environment was secure, and an investigation was launched to determine whether sensitive data had been exposed.

The forensic investigation determined that an unauthorized third party had access to files containing patient data, which may have been viewed or acquired between January 26, 2026, and January 27, 2026. The files on the compromised parts of its network were reviewed and found to contain names, Social Security numbers, dates of birth, driver’s license numbers, medical information, and health insurance information. Notification letters are being mailed to the affected individuals, and steps have been taken to reduce the risk of similar incidents in the future.

Bronsky Orthodontics

Bronsky Orthodontics, an orthodontic practice in New York City, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,183 individuals. Suspicious activity was identified within an employee’s email account on October 16, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity specialists, Bronsky Orthodontics determined that a limited number of email accounts had been accessed by an unknown actor between August 18, 2025, and October 16, 2025.

The accounts were reviewed, and on March 11, 2026, Bronsky Orthodontics determined that they contained patient information such as names, dates of birth, contact information, dental and orthodontic treatment information, and insurance information. A limited number of individuals also had their financial account information, Social Security numbers, driver’s licenses, and/or other government-issued identification numbers exposed.   Policies and procedures related to data privacy and security are being reviewed as a result of the incident.

The post Patient Data Exposed in Cyberattacks on Dental Practices appeared first on The HIPAA Journal.