And Your Board Should Be Paying Attention
By Scott Ashton, CISSP, CISM | The Fowler Group, LLC | March 2026
In the last two years, more than 19 healthcare organizations have settled class action lawsuits resulting from data breaches — paying out north of $56 million in combined settlement funds. And that number doesn’t include the elephant in the room: Change Healthcare, where 190 million+ records were compromised and 78 lawsuits remain in active multidistrict litigation with no resolution in sight.
For boards, C-suites, and compliance leaders, this isn’t a trend you can monitor from a distance anymore. These settlements are accelerating in both frequency and size — and they’re hitting organizations of every scale, from the nation’s largest hospital operator down to single-specialty practices with fewer than 30,000 patients.
Here’s what the settlement landscape looks like right now.
The Big Three: Settlements Above $5 Million
Harvard Pilgrim Health Care / Point32Health — $16,000,000 A ransomware attack in April 2023 compromised the data of nearly 3 million health plan members. Unauthorized actors maintained access for three weeks. The settlement covers SSNs, medical histories, treatment data, and insurance details. Class members received up to $35,000 for extraordinary losses.
HCA Healthcare — $11,000,000 The nation’s largest hospital operator settled after a 2023 breach affecting 11.27 million patients across 20 states. Twenty-seven class action lawsuits were consolidated. Patient records stored in an external system were compromised — a stark reminder that third-party risk extends to your own data architecture.
Omni Family Health — $6,500,000 This California nonprofit healthcare provider settled after an August 2024 breach exposed patient and employee SSNs. The California subclass received an additional $100 payment — a preview of how state-level privacy statutes are layering additional exposure on top of federal claims.
Mid-Range: Settlements Between $1M and $5M
Capital Health System — $4,500,000 A New Jersey/Pennsylvania health system hit by LockBit ransomware in November 2023. The attackers claimed to have exfiltrated 10 million files containing over 7 terabytes of data. The IT outage lasted two full weeks and disrupted patient services including outpatient radiology and elective surgeries. Over 503,000 individuals were affected.
Gryphon Healthcare — $2,800,000 A medical billing company — a business associate under HIPAA — whose partner organization’s security lapse exposed 393,358 patients’ data. This one is critical for TPRM programs: the breach didn’t originate at Gryphon, but Gryphon bore the litigation.
American Addiction Centers — $2,750,000 A September 2024 breach affecting 423,065 individuals, including the PHI of over 410,000 current and former patients in substance abuse treatment — among the most sensitive categories of health data.
General Physician, P.C. — $2,500,000 A Western New York medical group compromised through its email environment. Unauthorized access persisted for over two months (April to June 2024) before detection.
Alabama Cardiovascular Group — $2,225,000 Threat actors accessed the network for nearly a month and exfiltrated patient and employee files. Multiple lawsuits were consolidated. Settlement included two years of credit monitoring.
Duly Health and Care — $1,880,000 This one stands apart: the settlement wasn’t for a traditional cyberattack but for the use of Meta Pixel tracking code on authenticated patient portal pages — an impermissible disclosure of PHI under HIPAA. A cautionary tale for any organization that hasn’t audited its web tracking technologies.
Settlements Under $1 Million — Don’t Let the Size Fool You
Even at the sub-million level, the legal and reputational exposure is severe for smaller practices:
Hypertension Nephrology Associates — $625,000 (ransomware, 39,491 patients, Willow Grove, PA)
Columbia University Health Care — $600,000 (unauthorized access persisted ~6 months, 29,629 patients)
LifeBridge Health — $575,000 (network intrusion, Maryland hospital system with 4 hospitals)
Asheville Arthritis & Osteoporosis Center — $500,000 (cyberattack, 58,251 patients)
Additional Settled Cases
Several more organizations have reached settlements with amounts undisclosed or still being finalized:
Rocky Mountain Gastroenterology Associates — 366,491 patients affected (Sep 2024)
Northeast Rehabilitation Hospital Network — 148,515 patients, attributed to the Hunters International threat group (May 2024)
Emergency Medical Services Authority (EMSA) — Oklahoma EMS patients (Feb 2024)
Intermountain Planned Parenthood (Montana) — 56,917 patients (Aug 2024, final approval granted)
Carespring Health Care Management — 64,609 patients (Oct 2023)
Regional Obstetrical Consultants — 25,787 patients, TN/GA (May 2024)
Carolina Arthritis Associates — settlement pending final hearing
What Should Boards and Leadership Take From This?
1. Litigation is not “if” — it’s “when.” Every significant healthcare data breach now triggers class action lawsuits, often within weeks. The pattern is fully established.
2. Settlement sizes correlate to affected populations, but even small breaches carry real financial exposure. A 25,000-patient breach still generated a six-figure settlement plus legal costs, business disruption, and reputational damage.
3. Third-party and business associate risk is getting litigated. The Gryphon Healthcare settlement proves that your vendor’s security failure becomes your litigation. TPRM programs are no longer optional — they’re a liability shield.
4. Web tracking technologies are a live wire. The Duly Health and Care settlement over Meta Pixel on authenticated pages should be a wake-up call for any organization that hasn’t completed a tracking technology audit.
5. Ransomware groups are naming names. LockBit (Capital Health System), Hunters International (Northeast Rehab), and others are not just encrypting — they’re exfiltrating and publicly claiming responsibility, which accelerates the litigation timeline.
6. Change Healthcare remains the defining case. With 190+ million affected individuals and 78 lawsuits in MDL, the eventual settlement will likely set the high-water mark for healthcare breach litigation. Every CISO and board member should be tracking this.
The through-line is clear: cybersecurity governance is no longer a technical function — it’s a fiduciary obligation. For boards operating under Caremark duties and for leadership teams accountable under HIPAA, the question isn’t whether you can afford a robust cybersecurity program. It’s whether you can afford not to have one.
Scott Ashton is the owner and principal of The Fowler Group, LLC, a cybersecurity consultancy operating at the vCISO/CISO level. He holds CISSP and CISM certifications and advises healthcare, legal, and critical infrastructure organizations on cybersecurity governance, risk management, and regulatory compliance.
Sources: HIPAA Journal, ClassAction.org, Top Class Actions, court filings. Data compiled March 2026.