Akumin agrees to $1.5 million settlement over 2023 data breach

Akumin Operating Corp., a U.S.-based healthcare provider specializing in imaging services, has agreed to a $1.5 million settlement to resolve a class action lawsuit stemming from a data breach that occurred on October 11, 2023.

What happened 

According to ClassAction.org, the breach potentially exposed sensitive patient information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, and health insurance information. Plaintiffs allege that Akumin failed to protect this information adequately.

The backstory

The lawsuit, Letizio, et al. v. Akumin Operating Corp., was filed in the 17th Judicial Circuit Court in Broward County, Florida. The breach occurred as a result of a ransomware attack that infiltrated Akumin’s systems, potentially exposing sensitive patient data. While Akumin has not admitted any wrongdoing, the settlement avoids further litigation.

Going deeper

According to Top Class Action, under the settlement, affected individuals can claim up to $2,500 for documented losses such as unreimbursed fraud or identity theft costs and credit-related expenses. In addition, one year of free medical data monitoring through CyEx’s Medical Shield Complete is provided. To receive benefits, claims must be submitted by November 30, 2025.

Why it matters

The settlement provides both financial compensation and access to one year of medical data monitoring, offering affected individuals a measure of protection and remediation. Beyond individual impacts, the case underscores the broader consequences of cybersecurity lapses in healthcare, highlighting how a single breach can trigger costly legal action, reputational damage, and the need for systemic improvements in data protection.

The big picture

Ransomware attacks have become an increasingly serious threat to the healthcare sector, targeting hospitals, clinics, and medical service providers that hold large volumes of sensitive patient data. These attacks typically involve cybercriminals encrypting critical systems and demanding payment for access, potentially disrupting operations and compromising patient care. Beyond operational disruption, ransomware incidents can expose personally identifiable information (PII) and protected health information (PHI), resulting in identity theft, financial loss, and potential regulatory penalties.  

According to IBM, “Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities… There’s been a 300% increase in ransomware attacks on healthcare since 2015. This led to a spike in emergency cases, including strokes and cardiac arrests, at hospitals overwhelmed by patients diverted from facilities hit by cyberattacks.” 

One effective way to reduce the risk of such attacks is through secure, HIPAA compliant email practices. By ensuring that all emails containing PHI are encrypted and sent through compliant channels, healthcare organizations can prevent unauthorized access via phishing and malicious attachments, common vectors for ransomware. Implementing HIPAA compliant email protects sensitive patient information and strengthens the overall cybersecurity posture, reducing the likelihood of costly breaches like the one experienced by Akumin.

Read also: What is the difference between PII and PHI?

FAQS

Does this settlement mean Akumin admitted wrongdoing?

No. Akumin has not admitted any wrongdoing; the settlement resolves the lawsuit and avoids further litigation.

Will filing a claim affect an individual’s legal rights?

By submitting a claim, an individual agrees to participate in the settlement, which resolves the lawsuit. After this, class action members typically waive the right to pursue separate legal action for the issue.