Physician Practices Pay $50 Million to Settle Data Breach Litigation

A network of nine affiliated physician practices has agreed to pay almost $50 million to settle class action litigation stemming from a December 2022 ransomware attack that affected more than 3.4 million patients. California-based Heritage Provider Network is one of the largest healthcare networks in the United States, and includes the following physician groups and practices:

  • Regal Medical Group
  • Lakeside Medical Organization
  • Greater Covina Medical Group
  • Affiliated Doctors of Orange County Medical Group
  • Arizona Health Advantage
  • AZPC Clinics
  • Community Surgery Center of Glendale
  • Pacific Family Hospice
  • Valley’s Best Hospice

The litigation concerns a ransomware attack that was first identified on December 8, 2022, when staff experienced difficulty accessing certain network servers. The investigation identified malware on its network, unauthorized access to files, and the exfiltration of data from its servers.  The compromised data included names, telephone numbers, dates of birth, Social Security numbers, diagnoses, treatment information, test results, prescription information, radiology reports, and health plan information.

A data breach on this scale was certain to result in litigation, and more than 25 lawsuits were filed against the Heritage Provider Network and its affiliates. The lawsuits alleged that the defendants were negligent as they failed to adequately protect patients’ sensitive data. Sensitive data was stolen and published on the dark web, resulting in injuries and losses, placing the victims at an increased risk of identity theft and fraud. The lawsuits were consolidated, and the consolidated complaint, Head, et al. v. Regal Medical Group, Inc., et al, was filed in the Superior Court of the State of California, County of Los Angeles.

The defendants deny any wrongdoing and liability but agreed to settle the lawsuit to avoid the costs, expenses, distraction, and risks associated with continuing with the litigation. The plaintiffs believe the negotiated settlement is fair and in the best interests of all class members. The defendants have agreed to establish a $49,995,000.00 settlement fund. After paying attorneys’ fees, attorneys’ expenses, settlement administration costs, and service awards for the named plaintiffs, the remaining funds will be used to pay benefits to the class members. The attorneys seek almost $16.7 million in fees and expenses, the settlement administration costs have been capped at $2,450,000, and each of the named plaintiffs will receive a service award of up to $7,500.

All class members may claim three years of identity theft monitoring services, plus a payment of up to $210 per class member as compensation for documented lost time dealing with the data breach (up to 7 hours at $30 per hour). Additionally, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses, including losses from identity theft and fraud, up to a maximum of $10,000 per class member.  After all of the above payments have been deducted from the settlement fund, any residual funds will be paid pro rata to the class members as a cash payment.

Class members wishing to object to the settlement or exclude themselves must do so by November 24, 2025. Plaintiffs wishing to submit a claim must do so by December 22, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2025.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/