Cardiovascular Consultants in Arizona has agreed to a $3,850,000 settlement to resolve a class action lawsuit arising from a 2023 data breach that exposed the protected health information (PHI) of 484,000 individuals.
Breach Incident
The breach was detected on September 29, 2023, following unauthorized access to the network two days earlier. Patient files were exfiltrated before ransomware was deployed to encrypt systems. The compromised information included names, addresses, birth dates, emergency contacts, Social Security numbers, driver’s license numbers, state ID numbers, insurance details, guarantor information, diagnosis and treatment data, and other medical or billing records. Breach notification letters were mailed on December 2, 2023.
Litigation
Plaintiffs Michele Stroup and Georgios Asimakopoulos filed a class action complaint in December 2023, later joined by other representatives. The Stroup, et al. v. Cardiovascular Consultants Ltd. lawsuit is pending in the Superior Court of the State of Arizona, County of Maricopa. The defendant denied all claims and sought dismissal, which was granted in part and denied in part.
The lawsuit alleged failures to implement reasonable security protections and deficiencies in breach response, including delayed notifications. Claims included negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy.
Settlement Terms
Following mediation, the parties agreed to settlement terms to avoid trial costs and uncertainty. Cardiovascular Consultants will establish a $3,850,000 fund to cover attorneys’ fees, litigation expenses, notice and administration costs, and service awards for class representatives.
The remaining funds will provide benefits to class members. Eligible individuals may claim:
- Two years of medical monitoring
- Reimbursement for documented, unreimbursed out-of-pocket losses up to $5,000 per person
- A pro rata cash payment estimated at $75 per person, subject to adjustment based on the number of valid claims
Court Approval and Deadlines
The settlement has received preliminary court approval. The final fairness hearing is scheduled for August 18, 2026. Individuals wishing to object or exclude themselves must act by June 1, 2026. The deadline for submitting claims is July 1, 2026.
This case demonstrates the financial and compliance consequences of data breaches involving protected health information and highlights the litigation risks for healthcare providers when security safeguards and breach response measures are challenged.