Coastal Orthopedics will pay $1.4 million to settle claims after a 2023 data breach exposed sensitive information of over 200,000 patients.
What happened
Coastal Orthopedics & Sports Medicine of Southwest Florida (COSM) has agreed to a $1.4 million settlement following a cyberattack and data breach that occurred in June 2023, impacting 203,427 individuals. Hackers accessed the company’s network between June 6 and June 11, stealing files that contained a wide array of sensitive patient information, including names, birth dates, Social Security numbers, driver’s license numbers, medical and insurance data, and financial details.
Going deeper
The breach led to multiple lawsuits filed in both state and federal courts. Two suits were brought in Manatee County, Florida, while a third, later dismissed, was filed in federal court. The remaining actions were consolidated into a single case titled In Re: Coastal Orthopedics & Sports Medicine of Southwest Florida Data Breach Litigation in October 2024.
Plaintiffs alleged COSM was negligent in its failure to adopt reasonable cybersecurity safeguards that could have prevented the unauthorized access. While COSM denies any wrongdoing, it chose to settle in order to avoid the costs and risks of protracted litigation.
Under the agreement, COSM will pay $1,403,646.30 to cover all related costs, this includes class member claims, legal fees, and administrative expenses. Up to $10,000 may be claimed by individuals able to prove monetary losses linked to the breach. Additionally, all affected individuals will receive two years of credit monitoring and a $1 million identity theft insurance policy.
The class has been divided into two groups: those whose Social Security numbers were exposed (Group 1) and all others (Group 2). Cash payments for Group 1 members will be triple the amount received by Group 2, drawn from the remaining settlement fund.
What was said
Although COSM maintains that it was not legally liable for the incident, it acknowledged the settlement as a practical resolution to avoid further uncertainty. The court has granted preliminary approval, with final deadlines approaching:
- Objections must be filed by July 14, 2025
- Requests for exclusion and claims must be submitted by August 13, 2025
- A final fairness hearing is scheduled for July 28, 2025
FAQs
Why are healthcare organizations frequent targets for cyberattacks?
Healthcare providers store vast amounts of sensitive personal, medical, and financial data, making them highly valuable targets for hackers looking to exploit or ransom stolen information.
What are common entry points attackers use in healthcare breaches?
Cybercriminals often exploit outdated software, phishing emails, weak passwords, or third-party vendor vulnerabilities to gain access to healthcare systems.
What long-term risks do patients face after such breaches?
Stolen healthcare data can be used for identity theft, fraudulent medical claims, and targeted scams, sometimes years after the initial breach.
What legal standards are healthcare providers expected to meet for data security?
Under HIPAA and other regulations, healthcare entities must implement reasonable safeguards to protect patient data including access controls, encryption, and regular risk assessments.
Are data breach settlements becoming more common in healthcare?
Yes. As breach frequency rises and class-action lawsuits become more prevalent, many providers are opting for settlements to limit financial and reputational damage.
Farah Amod
