MedStar Health opted to resolve a class action lawsuit associated with a 2023 data breach that impacted over 183,000 individuals. A $1.35 million settlement fund will be created to pay for attorneys’ fees, legal fees and expenses, and class member claims for refunds of out-of-pocket expenditures related to the data breach.
MedStar Health is the biggest healthcare organization in Maryland and Washington, D.C. Its medical services are available through 120 HIPAA-covered entities, which include 10 hospitals. From January 25, 2023 to October 18, 2023, an unauthorized third party accessed three employees’ email accounts and viewed or downloaded the protected health information (PHI) of 183,079 patients. MedStar Health sent breach notifications to the affected individuals on May 4, 2024.
Soon after sending notification letters, Gwendolyn Riddick filed a class action lawsuit personally and on behalf of individuals in a similar situation. Other MedStar Health patients filed five other class action lawsuits. Because of the overlapping claims among the six lawsuits, they were combined into a lawsuit — In re MedStar Health Data Security Incident. The combined lawsuit was filed in the U.S. District Court for the District of Maryland. The plaintiffs claimed that MedStar Health did not have acceptable and proper safety measures to secure the sensitive information it kept on its system.
MedStar Health does not admit to any wrongdoing and argues with the claims and allegations in the lawsuit. Nevertheless, MedStar decided to settle the lawsuit to steer clear of the cost and risk of a trial as well as any likely appeals. The $1,350,000 settlement fund will cover attorneys’ fees around $450,000, settlement management expenses around $250,000, $2,500 class representative awards given to each of the six named plaintiffs, attorneys’ expenditures, and monitoring costs of patient data. The remaining settlement fund will cover claims filed by class members. These U.S. resident class members are present or former MedStar patients or staff members who received notifications about the exposure of their data from January 25, 2023 to October 18, 2023.
According to the terms of settlement, class members could claim 1 of 2 cash payments and also a medical and healthcare data monitoring service for one year. Each class member can file a claim for compensation of documented losses up to $5,000, or claim a $100 cash payment (estimated amount). The amount of cash payment might be adjusted according to the number of eligible claims submitted.
The last day to file an objection to or exemption from the settlement is September 14, 2025. The last day to submit a claim is October 14, 2025. The court has given preliminary approval of the settlement, and the schedule of the final fairness hearing is November 4, 2025.
Image credit: Curioso.Photography, AdobeStock / logo©medstarhealth
