Nearly 4.7 million individuals were impacted by the 2023 cyberattack on HealthEC’s healthcare analytics platform.
What happened
A federal judge has given preliminary approval to a $5.48 million class action settlement following the 2023 data breach at HealthEC, a New Jersey-based healthcare analytics vendor. The breach affected 4,656,293 individuals after hackers accessed HealthEC’s systems between July 14 and July 23, 2023, and stole files containing protected health information.
The lawsuits, filed by affected patients, accused HealthEC and several healthcare provider clients of negligence, alleging they failed to implement proper data security, comply with HIPAA, and notify victims in a timely manner. The cases were consolidated into a single class action, In Re: HealthEC, LLC Data Breach Litigation.
Going deeper
HealthEC’s platform is used to identify high-risk patients and optimize care strategies. The breach exposed sensitive data such as names, Social Security numbers, diagnoses, medical record numbers, and insurance details. The lawsuits also claimed HealthEC delayed issuing breach notifications; letters were mailed in December, five months after the incident occurred.
Though HealthEC and its co-defendants denied all wrongdoing and liability, they agreed to settle to avoid prolonged litigation. The defendants include Community Health Care Systems, Corewell Health, MD Valuecare, and Beaumont ACO.
Under the settlement terms, $5.48 million will be allocated to cover attorneys’ fees (estimated at $1.8 million), lead plaintiff awards, credit monitoring, and administrative costs. Affected individuals can file for reimbursement of documented expenses, lost time, or opt for a flat $25 cash payment. Three years of credit monitoring with identity theft protection is also available to all class members.
What was said
HealthEC has not publicly admitted to fault but has stated that it has taken steps to enhance its cybersecurity following the breach. While the motion to dismiss was not granted, mediation led to continued negotiations and a settlement intended to avoid the uncertainties of trial.
Final approval is still pending. If more than 1,000 individuals opt out, the defendants may cancel the settlement agreement. Dates for objections, opt-outs, and claim submissions have yet to be announced.
The big picture
With greater reliance on third-party analytics platforms, the responsibility for protecting patient data is now shared across a wider range of entities and is facing increased scrutiny. Lawsuits and federal inquiries are examining how hospitals and health apps transmit data to vendors such as Google and Meta, often without adequate consent or safeguards. At the same time, breach notifications are frequently delayed, with many reports exceeding HIPAA’s 60-day limit. These issues have prompted renewed efforts to define and enforce clearer legal standards. Recent actions by the FTC and proposed updates to the HIPAA Security Rule suggest growing momentum toward stronger patient protections and more consistent disclosure practices.
FAQs
What does it mean when a settlement is given “preliminary approval”?
Preliminary approval means the court agrees the settlement is fair and reasonable enough to notify affected individuals, but it is not final until a hearing is held and public objections or opt-outs are reviewed.
Are affected individuals automatically included in the settlement?
Yes, unless they choose to opt out. Those included can file a claim, accept the default cash payment or credit monitoring, or object to the settlement terms.
Why is there a flat $25 option for individuals who don’t want to file documentation?
The $25 option provides a simplified path to compensation for those without documented expenses or time loss. It ensures at least some relief without requiring proof of harm.
Can individuals receive both credit monitoring and a cash payout?
Yes. Individuals can receive three years of credit monitoring and also submit claims for out-of-pocket costs or lost time. However, they may not receive both reimbursement and the $25 flat payment; it’s one or the other.
What steps are being taken to prevent similar breaches in the future?
HealthEC has reportedly implemented additional security measures, but specific changes have not been publicly disclosed. Plaintiffs are also seeking injunctive relief to compel further improvements to data protection practices.
Farah Amod
