Compliance

Asheville Arthritis and Osteoporosis Center Settles Data Breach Lawsuit for $500,000

By Daniel Lopez

HIPAA-covered entity Asheville Arthritis and Osteoporosis Center located in North Carolina decided to resolve a class action lawsuit that was associated with a cyberattack in May 2024 resulting in a data breach with 58,251 patient victims. The attack happened on or about May 22, 2024, wherein the threat actor illegally accessed patient data. The breached information included names, telephone numbers, addresses, birth dates, Social Security numbers, medical records, laboratory data, diagnoses, and medical insurance data.

Plaintiff Karen Stiwinter filed the Stiwinter et al. v. Asheville Arthritis and Osteoporosis Center lawsuit in the Superior Court of Buncombe County, North Carolina. The lawsuit was transferred later to the North Carolina Business Court. Some claims stated in the lawsuit included claims of negligence, negligence per se, breach of fiduciary duty, unjust enrichment, and breach of implied contract. The plaintiff seeks damages, injunctive, and declaratory relief. Asheville Arthritis and Osteoporosis Center does not admit to any wrongdoing and rejects all claims declared in the litigation. Nevertheless, the parties in this litigation decided to negotiate to steer clear of the time, cost, and risk of trial.

Asheville Arthritis and Osteoporosis Center will create a $500,000 settlement fund to pay for the lawyers’ fees and expenditures, settlement management and notification expenses, and service awards. The remaining fund will cover the class members’ benefits. Class members could file a claim for compensation of documented, unreimbursed expenses resulting from the data breach up to $5,000 for each class member. Class members who do not want to file a claim for a refund of losses can opt to be paid a one-time $100 pro rata cash payment. The $100 cash payments could be more or less subject to the number of people who filed a valid claim. January 26, 2026 is the last day to object to and be excluded from the settlement. It is also the last day to submit all claims. The schedule of the final fairness hearing is February 9, 2026.

Image credit: fakii, Adobestock / logo©AshevilleArthritis

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

PHI Exposed by Job-Sharing Employee

Medium-severity Grassroots DICOM Vulnerability Patch Now Available