Court Approves Settlement for HCA Data Breach Class Action

A Tennessee federal court has recently approved a multimillion-dollar settlement in a consolidated class action lawsuit against HCA Healthcare, resulting from a significant data breach in 2023. This breach allowed hackers to access sensitive information stored in an external location linked to the formatting of email messages, ultimately affecting more than 11 million individuals.

While the details of the settlement remain somewhat ambiguous—as court documents do not specify a net settlement fund or the total amount HCA has agreed to pay—it’s reported that class counsel will receive about $3.1 million in attorney’s fees. Given that attorney’s fees in similar class actions typically constitute about one-third of the overall settlement, it could be estimated that HCA’s total payout might approach $9.3 million.

The 2023 incident raised concerns as HCA disclosed that the hackers did not access certain types of sensitive data, including clinical or financial information and identifying documents like driver’s licenses or Social Security numbers. However, they did manage to secure patient names, addresses, email addresses, telephone numbers, gender, service dates, location, and upcoming appointment dates.

Under the terms of the settlement, eligible class members can file claims for up to $5,000 against documented losses resulting from the breach, as well as request one year of complimentary credit and identity monitoring. Unlike many other settlements in similar cases, this one does not allow class members to request pro-rata cash payments in lieu of documented loss claims, highlighting a focus on substantiated damages.

According to regulatory attorney Rachel Rose, who is not involved in the case, the documentation requirement for claims indicates that the settlement is primarily based on actual damages rather than hypothetical losses. Furthermore, the agreement stipulates that HCA must implement and maintain improved security measures to avert future breaches, although the specifics of these measures have been filed under seal and remain undisclosed.

HCA Healthcare operates an extensive network comprising 190 hospitals and approximately 2,400 ambulatory care sites across 20 states in the U.S. and the UK. Following the breach, HCA assured investors that it did not expect the incident to materially impact its business or financial results, a statement reflecting confidence despite the tumultuous nature of data breaches.

The class action consolidates 27 individual lawsuits filed against HCA in the wake of the breach. Plaintiffs accused the healthcare provider of negligence in securing patients’ sensitive information, thereby breaching its duty of care. However, HCA has denied any wrongdoing in relation to these allegations, a common stance taken by companies embroiled in legal disputes of this nature.

The company’s response and settlement underscore a broader issue facing the healthcare sector regarding cybersecurity. As healthcare providers continue to digitize records and rely on technology for patient management, safeguarding medical data has become paramount—a challenge HCA Healthcare and others in the industry must confront going forward.