Hospital Sisters Health System, a HIPAA-covered entity, settled a class action lawsuit for $7.6 million. The litigation pertains to an August 2023 cyberattack that impacted around 883,000 people. The cyberattack prompted a shutdown of computer systems, telephone lines, and web pages. The health system also took its MyChart and MyPrevea applications offline for a few days; hence, receiving payments was not possible. The investigation confirmed that the threat actor gained access to systems containing patient and worker records from August 16, 2023, to August 27, 2023, and likely extracted information. The health system began mailing the notification letters to the impacted people on October 26, 2023.
Hospital Sisters Health System faced multiple class action lawsuits because of the data breach. Considering that they had similar claims and were dependent on similar facts, the lawsuits were combined into one action. The In re Hospital Sisters Health System Data Breach Lawsuit was filed in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.
Hospital Sisters Health System was alleged to have been negligent as it did not employ reasonable and proper security measures to safeguard its systems, including patient and workers’ information from unauthorized access. If the appropriate measures had been implemented, the data breach could have been avoided. Hospital Sisters Health System doesn’t admit any claims alleged in the litigation and states no wrongdoing or liability. The class lawyer and the plaintiffs think that the lawsuit’s legal claims have merit.
After evaluating the merits of the case, the plaintiffs and defendants agreed to resolve the lawsuit to avoid the trouble, cost, risk, and uncertainty of an ongoing lawsuit. The Class lawyer and the plaintiffs think that the agreed settlement is reasonable and offers sufficient benefits for the class members. Based on the terms of the settlement, all class members can claim two-year financial data monitoring services. The CyEx Financial Shield package covers fraud and identity checking, monitoring for breached bank and financial account numbers, and unauthorized financial transactions. Class members are also covered by a financial fraud insurance policy worth $1 million.
Class members can also claim cash benefits in one of two ways. Each may file a claim of up to $5,000 for reimbursement of documented, unreimbursed losses associated with the data breach. Or, they can file a claim for a cash payment adjusted pro rata. Cash payments will be paid after paying lawyers’ fees, expenditures, class representative awards, settlement management costs, financial data monitoring fees, and claims.
The court has given its preliminary approval of the settlement. The schedule of the final fairness is December 4, 2025. Class members wanting to disagree with the settlement or exempt themselves should do so on or before November 14, 2025. The last day to submit a claim is also November 14, 2025.