Cardiovascular Consultants in Arizona has agreed to a $3.85 million settlement to resolve a class action lawsuit stemming from a 2023 data breach that exposed the protected health information of approximately 484,000 individuals. The incident highlights the growing cybersecurity risks facing healthcare organizations and the increasing legal and financial consequences of data breaches involving sensitive patient information.
The breach was detected on September 29, 2023, with a subsequent forensic investigation revealing that unauthorized access to the network had occurred two days earlier. During that time, a threat actor exfiltrated sensitive files before deploying ransomware to encrypt systems, disrupting operations and compromising critical data.
The exposed information included highly sensitive patient and guarantor details such as names, addresses, dates of birth, Social Security numbers, driver’s license and state ID numbers, insurance information, and medical and billing records, including diagnosis and treatment data. Notification letters were issued to affected individuals on December 2, 2023.
Legal action followed shortly after, with plaintiffs Michele Stroup and Georgios Asimakopoulos filing a class action complaint in December 2023. Additional plaintiffs later joined the case as class representatives. The lawsuit, filed in the Superior Court of Arizona in Maricopa County, alleged that Cardiovascular Consultants failed to implement adequate security measures and delayed breach notification, thereby increasing the risk of harm to affected individuals.
The plaintiffs brought multiple claims, including negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy. Cardiovascular Consultants denied all allegations and sought dismissal of the case, though the court only partially granted that motion, allowing key claims to proceed.
Following mediation, both parties agreed to a settlement to avoid prolonged litigation and the uncertainty of a trial. Under the terms, a $3,850,000 settlement fund has been established to cover legal fees, administrative costs, and service awards for class representatives, with the remaining funds allocated to affected individuals.
Eligible class members can claim two years of medical monitoring services, along with financial compensation options. These include reimbursement for documented out-of-pocket losses up to $5,000 per individual and/or a pro rata cash payment estimated at approximately $75 per claimant, depending on the number of valid submissions.
The settlement has received preliminary court approval, with a final fairness hearing scheduled for August 18, 2026. Class members who wish to object to the settlement or opt out must do so by June 1, 2026, while the deadline to submit claims is July 1, 2026.
This case underscores the critical importance of robust cybersecurity frameworks and timely incident response in the healthcare sector, where the protection of sensitive patient data is both a regulatory requirement and a cornerstone of patient trust.
Recommended Cyber Technology News :
- Meta Halts Mercor Work After Major AI Data Breach
- Nacogdoches Hospital Data Breach Hits 257K Patients
- TriMed Data Breach Exposes Healthcare Security Risks
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
