Data Breaches in Healthcare and the Rising Risk of Class Action Litigation
Data breaches in healthcare continue to increase in frequency and severity, and they are increasingly followed by class action lawsuits against medical practices and healthcare systems. These lawsuits represent a significant financial and operational risk for covered entities and business associates alike.
A publicly available website, ClaimDepot.com, tracks class action lawsuits and settlements across industries, including healthcare. As of January 17, 2026, healthcare-related data breach settlements listed on the site include¹:
- Des Moines Orthopaedic Surgeons – Data Breach Settlement
- Inova Health – $3.15 million MyChart Privacy Class Action Settlement
- U.S. Dermatology Partners – Data Breach Class Action Settlement
- American Addiction Centers – $2.75 million Class Action Settlement
- Hospital Sisters Health System – $7.6 million Data Breach Settlement
Reviewing these cases highlights an important reality for medical practices and healthcare systems: settlement amounts can reach millions of dollars, and these figures typically do not include legal fees, forensic investigations, breach notification costs, credit monitoring services, regulatory response efforts, or operational disruption.
Legal Exposure Following a Healthcare Data Breach
A data breach is not only a regulatory compliance issue but also a significant legal and financial event. In addition to breach containment and remediation, organizations must comply with the HIPAA Breach Notification Rule² and respond to any investigations initiated by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Patients generally do not have a private right of action under HIPAA itself³. However, this does not eliminate litigation risk. Patients commonly bring lawsuits under alternative legal theories, including:
- State privacy and data protection laws
- Negligence
- Consumer protection statutes
As a result, class action lawsuits following healthcare data breaches are typically not based on HIPAA, but rather on state statutory and common-law claims, which vary by jurisdiction and often allow for monetary damages.
HIPAA Security Risk Analysis: A Regulatory Requirement
Under the HIPAA Security Rule, covered entities and business associates are required to conduct an **accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)**⁴:
- 45 CFR § 164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR § 164.308(a)(1)(ii)(B) – Risk Management
HHS OCR guidance emphasizes that a HIPAA Security Risk Analysis (SRA):
- Must be documented
- Must be organization-specific
- Is an ongoing process, not a one-time exercise⁵
OCR explicitly states:
“The risk analysis process should be ongoing. In order for risk analysis to remain effective, it should be reviewed periodically and updated as needed.”⁵
Completing a risk analysis and implementing a corresponding risk management (mitigation) plan can significantly reduce the likelihood and impact of a breach. However, it is important to recognize that breaches can still occur even in organizations that have performed a Security Risk Analysis.
Third-Party and Business Associate Risk
Healthcare organizations remain legally exposed even when a breach originates outside their direct control. Breaches frequently involve:
- Business Associates
- Patient portals
- Web tracking or analytics tools
- Cloud-based or third-party software platforms
For example, Inova Health faced class action litigation related to privacy issues involving MyChart, a third-party patient portal application¹. This illustrates the importance of vendor risk management, Business Associate Agreements (BAAs), and ongoing oversight.
OCR guidance makes clear that covered entities are responsible for ensuring that their Business Associates appropriately safeguard ePHI and comply with the HIPAA Security Rule⁶.
Cyber Liability Insurance as a Risk Management Tool
In addition to regulatory compliance efforts, healthcare organizations should strongly consider cyber liability insurance as part of a comprehensive risk management strategy. Such policies may help offset costs associated with:
- Forensic investigations
- Legal defense and settlements
- Breach notification and credit monitoring
- Regulatory fines and penalties (where insurable)
- Business interruption
Cyber insurance should be viewed as a supplement to—not a substitute for—HIPAA compliance.
Maintaining an Ongoing Risk Management Program
HHS OCR guidance states that a Security Risk Analysis should be reviewed and updated at least annually, and whenever there are material changes that affect an organization’s risk profile⁵, including:
- Implementation of new hardware or software
- Adoption of new EHR or patient engagement platforms
- Changes in clinical workflows or data storage
- Emerging cybersecurity threats, such as ransomware
About TLD Systems
TLD Systems has assisted many healthcare organizations, including hundreds of small ambulatory practices, with HIPAA Security Risk Analyses and compliance support. Our approach emphasizes practical risk identification, regulatory alignment, and realistic mitigation strategies tailored to clinical environments.
For more information or to contact TLD Systems:
Website: https://www.tldsystems.com
Email: info@tldsystems.com
Phone: (631) 403-6687
Michael L. Brody, DPM
CEO, TLD Systems
References
- ClaimDepot. Healthcare Data Breach Class Action Settlements. ClaimDepot.com.
- HHS. HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414.
- HHS OCR. Enforcement Rule and HIPAA Overview – No Private Right of Action.
- HHS. HIPAA Security Rule, 45 CFR § 164.308(a)(1).
- HHS OCR. Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
HHS OCR. Business Associate Contracts and Responsibilities under HIPAA.
Read Comments