Columbia University Health Care (CUHC) has agreed to a $600,000 settlement over a class action suit following a massive data breach.
According to court documents, CUHC faced a data breach that took place between September 11, 2023 and March 7th, 2024, when cybercriminals accessed an Internet-accessible platform used by Columbia University Irving Medical Center, the academic medical center of Columbia University, and the largest campus of the New York-Presbyterian Hospital.
The incident impacted approximately 26,629 individuals, disclosing a variety of their protected health information (PHI). The involved information included first and last names, dates of birth, medical record numbers, provider names, and laboratory test results. Notices about the breach were sent out beginning May 7th, 2024.
Following the incident in July 2024, plaintiffs Margaret Nemeth and Juanita Huggins filed a class action lawsuit. The lawsuit alleged that CUHC failed to implement and maintain adequate security measures and could have prevented the data breach.
After a mediation on April 18th, 2025, CUHC and the plaintiffs agreed to terms of a settlement, with CUHC not admitting any wrongdoing.
Now, the final approval has been scheduled for December 5th, 2025, and is expected to pass. Class action members have until November 25th, 2025, to submit a claim.
CUHC agreed to a settlement of $600,000, which will be used to cover attorneys’ fees and expenses, service awards for the class representatives, benefits for class members, and some additional administrative costs.
All data breaches can be damaging for patient trust and for the organization’s longevity. According to Paubox’s 2025 Healthcare Email Security Report, “Attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures.”
Columbia University is currently facing another breach, estimated to impact 870,000 individuals. This time, however, instead of medical information being impacted, it appears the data is largely surrounding admissions and financial aid records.
It’s common for defendants to include a clause that states that, although they are agreeing to the settlement, they are not admitting to any wrongdoing. This clause is included to prevent future legal or financial repercussions and implies that the settlement is to prevent court expenses rather than because the defendant is guilty.
While the impact of a data breach can range depending the severity, number of impacted patients, and more, on average a data breach against a healthcare organization costs $11 million. Some large data breaches, like the Change breach, may skew the data, but nevertheless, all breaches have costs.