Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach

Posted by Steve Alder

Staten Island University Hospital (SIUH) in New York has agreed to settle a class action lawsuit over a 2024 data breach involving one of its business associates. The data breach occurred in January 2024 at The Medibase Group Inc., a vendor that provides healthcare solutions, technical assistance, and business office solutions. On or around May 8, 2024, The Medibase Group notified SIUH that an unauthorized third party had gained access to Medibase systems, which contained the protected health information of 35,106 individuals. Data compromised in the incident included names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters were mailed to the affected individuals on July 5, 2024.

A class action lawsuit was filed by plaintiffs Belle De Santiago and Elena Girenko over the data breach – Santiago et al. v. Staten Island University Hospital – in the Superior Court of Cherokee County for the State of Georgia. The lawsuit alleged the data breach was the result of the defendant’s failure to implement reasonable and appropriate security measures to protect sensitive patient data.

The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, and unjust enrichment. SIUH denies all claims of wrongdoing, fault, and liability; however, it agreed to a settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation. Class counsel and the lead plaintiffs believe the negotiated settlement is reasonable and fair.

Class members may submit a claim for two years of medical data monitoring services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for cash payments. A claim can be submitted for compensation for documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. A claim may also be submitted for a $35.00 flat cash payment. The deadline for exclusion and opting out is March 2, 2026. The deadline for submitting a claim is March 16, 2026, and the final fairness hearing has been scheduled for March 31, 2026.

The post Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach appeared first on The HIPAA Journal.

Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches

Posted by Steve Alder

Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks

Posted by Steve Alder

McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees.

McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024.

The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of health care, and payment for health care.

The first attack was detected on August 22, 2023, and notification letters were mailed to the affected individuals on November 9, 2023. At least eight class action lawsuits were filed in response to the first data breach, which were consolidated in the United States District Court for the Eastern District of Michigan. Following the 2024 ransomware attack and data breach, a further two class action lawsuits were filed. The lawsuits were consolidated in the Michigan 7th Judicial Circuit Court for Genesee County – Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation.

The lawsuit alleged that McLaren Health Care had inadequate security measures, did not comply with industry standards for data security, FTC guidelines, or the HIPAA Rules, resulting in the first attack. Then, McLaren Health Care failed to learn from the ransomware attack and did not make the necessary security upgrades to prevent further incidents, resulting in a second ransomware attack.

The plaintiffs alleged that they suffered concrete injuries as a result of the attacks, including invasion of privacy, theft of their private information, lost or diminished value of their private information, lost time and opportunity costs, loss of benefit of the bargain, loss of employment opportunities, and a continued risk of their private information being misused, as it remains unencrypted and available for other parties to access via the dark web. The lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and unjust enrichment. McLaren Health Care disagrees with all claims and contentions in the lawsuit.

Following months of dialogue about a potential settlement, the plaintiffs issued a settlement demand, and an appropriate settlement was ultimately agreed upon following mediation. Under the terms of the settlement, class members may submit a claim for one year of single-bureau credit monitoring and identity theft protection services plus one or two cash payments. The first cash payment may be claimed for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. The losses must have been incurred on or after July 28, 2023, and be more likely than not traceable to either of the data breaches.

Regardless of whether a claim is submitted for reimbursement of losses, class members may submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees and expenses, settlement administration costs, service awards for the lead plaintiffs, credit monitoring costs, and claims for reimbursement of losses have been deducted. McLaren Health Care has also agreed to take certain remedial measures and enhance security.

The deadline for exclusion and objection is March 16, 2026. The deadline for submitting a claim is April 29, 2026, and the final approval hearing has been scheduled for April 21, 2026.

The post McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks appeared first on The HIPAA Journal.