The Dakota Eye Institute 2023 breach has led to a million-dollar class action lawsuit settlement.
What happened
The breach triggered a class action lawsuit accusing the North Dakota eye care provider of failing to use reasonable security measures to prevent the intrusion. The litigation, filed as In re: Dakota Eye Institute Data Security Litigation, Case No. 08-2023-cv-02710, ultimately led Dakota Eye Institute, while denying wrongdoing, to agree to a $1 million settlement announced on December 5, 2025.
The backstory
Dakota Eye Institute’s settlement stems from a cyberattack the organization uncovered on October 31, 2023, when it learned that an unauthorized party had gained access to its network and exposed sensitive patient information.
After the breach became public, affected individuals filed a class action lawsuit arguing that Dakota Eye Institute failed to deploy reasonable and industry-standard cybersecurity protections that could have prevented the intrusion. Plaintiffs alleged the organization violated its duty to safeguard patient information and left individuals vulnerable to identity theft and fraud.
What was said
According to Strauss Borrelli, “Though much information is still not known about the Dakota Eye Institute breach, the U.S. Department of Health and Human Services’ reporting guidelines require entities to report data breaches when they involve protected health information. Therefore, it is likely that the Dakota Eye Institute breach included the protected health information belonging to over 107,000 individuals.”
The big picture
Dakota Eye Institute’s breach fits into a broader pattern of rising financial and regulatory consequences for healthcare cybersecurity failures, a trend underscored by high-profile cases like Solara Medical Supplies. Solara’s 2019 phishing incident, often cited as one of the industry’s early warning signs, resulted in a $9.76 million class action settlement and an additional $3 million OCR settlement in 2024.
It signals that both courts and federal regulators were willing to impose steep penalties when organizations failed to protect patient data. Dakota Eye Institute’s agreement to a $1 million class action settlement in December 2025 reflects the continuation of that trajectory.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What are ordinary vs. extraordinary losses?
Ordinary losses refer to smaller, routine expenses like bank fees, monitoring costs, or time spent remedying fraud, often capped at around $500–$1,000. Extraordinary losses are major financial impacts tied to identity theft or fraud and allow higher compensation, often requiring documentation.
Why do companies settle class action lawsuits instead of going to trial?
Companies often settle because litigation costs, reputational risks, and the uncertainty of a jury verdict outweigh the price of settlement.
Does settling mean the company admits wrongdoing?
No. Most settlements, including Dakota Eye Institute’s, expressly deny liability.
Kirsten Peremore
