Nearly 4.7 million individuals were impacted by the 2023 cyberattack on HealthEC’s healthcare analytics platform.
A federal judge has given preliminary approval to a $5.48 million class action settlement following the 2023 data breach at HealthEC, a New Jersey-based healthcare analytics vendor. The breach affected 4,656,293 individuals after hackers accessed HealthEC’s systems between July 14 and July 23, 2023, and stole files containing protected health information.
The lawsuits, filed by affected patients, accused HealthEC and several healthcare provider clients of negligence, alleging they failed to implement proper data security, comply with HIPAA, and notify victims in a timely manner. The cases were consolidated into a single class action, In Re: HealthEC, LLC Data Breach Litigation.
HealthEC’s platform is used to identify high-risk patients and optimize care strategies. The breach exposed sensitive data such as names, Social Security numbers, diagnoses, medical record numbers, and insurance details. The lawsuits also claimed HealthEC delayed issuing breach notifications; letters were mailed in December, five months after the incident occurred.
Though HealthEC and its co-defendants denied all wrongdoing and liability, they agreed to settle to avoid prolonged litigation. The defendants include Community Health Care Systems, Corewell Health, MD Valuecare, and Beaumont ACO.
Under the settlement terms, $5.48 million will be allocated to cover attorneys’ fees (estimated at $1.8 million), lead plaintiff awards, credit monitoring, and administrative costs. Affected individuals can file for reimbursement of documented expenses, lost time, or opt for a flat $25 cash payment. Three years of credit monitoring with identity theft protection is also available to all class members.
HealthEC has not publicly admitted to fault but has stated that it has taken steps to enhance its cybersecurity following the breach. While the motion to dismiss was not granted, mediation led to continued negotiations and a settlement intended to avoid the uncertainties of trial.
Final approval is still pending. If more than 1,000 individuals opt out, the defendants may cancel the settlement agreement. Dates for objections, opt-outs, and claim submissions have yet to be announced.
With greater reliance on third-party analytics platforms, the responsibility for protecting patient data is now shared across a wider range of entities and is facing increased scrutiny. Lawsuits and federal inquiries are examining how hospitals and health apps transmit data to vendors such as Google and Meta, often without adequate consent or safeguards. At the same time, breach notifications are frequently delayed, with many reports exceeding HIPAA’s 60-day limit. These issues have prompted renewed efforts to define and enforce clearer legal standards. Recent actions by the FTC and proposed updates to the HIPAA Security Rule suggest growing momentum toward stronger patient protections and more consistent disclosure practices.
Preliminary approval means the court agrees the settlement is fair and reasonable enough to notify affected individuals, but it is not final until a hearing is held and public objections or opt-outs are reviewed.
Yes, unless they choose to opt out. Those included can file a claim, accept the default cash payment or credit monitoring, or object to the settlement terms.
The $25 option provides a simplified path to compensation for those without documented expenses or time loss. It ensures at least some relief without requiring proof of harm.
Yes. Individuals can receive three years of credit monitoring and also submit claims for out-of-pocket costs or lost time. However, they may not receive both reimbursement and the $25 flat payment; it’s one or the other.
HealthEC has reportedly implemented additional security measures, but specific changes have not been publicly disclosed. Plaintiffs are also seeking injunctive relief to compel further improvements to data protection practices.