Dakota Eye Institute institutes 2023 breach has led to a million-dollar class action lawsuit settlement.
The breach triggered a class action lawsuit accusing the North Dakota eye care provider of failing to use reasonable security measures to prevent the intrusion. The litigation, filed as In re: Dakota Eye Institute Data Security Litigation, Case No. 08-2023-cv-02710, ultimately led Dakota Eye Institute to agree to a $1 million settlement announced on December 5, 2025. The practice maintained they had committed no wrongdoing.
Under the agreement, impacted individuals may claim up to $1,000 for ordinary expenses, up to $5,000 for identity-theft-related extraordinary losses, or opt for a $45 cash payment instead of credit monitoring. The settlement also provides two years of credit monitoring with $1 million fraud insurance. The court set December 13, 2025, as the deadline to object or opt out, and scheduled the final approval hearing for January 12, 2026, the same date by which claims must be submitted.
Dakota Eye Institute’s settlement stems from a cyberattack the organization uncovered on October 31, 2023, when it learned that an unauthorized party had gained access to its network and exposed sensitive patient information.
After the breach became public, affected individuals filed a class action lawsuit arguing that Dakota Eye Institute failed to deploy reasonable and industry-standard cybersecurity protections that could have prevented the intrusion. Plaintiffs alleged the organization violated its duty to safeguard patient information and left individuals vulnerable to identity theft and fraud.
According to Strauss Borrelli, “Though much information is still not known about the Dakota Eye Institute breach, the U.S. Department of Health and Human Services’ reporting guidelines require entities to report data breaches when they involve protected health information. Therefore, it is likely that the Dakota Eye Institute breach included the protected health information belonging to over 107,000 individuals.”
Dakota Eye Institute’s breach fits into a broader pattern of rising financial and regulatory consequences for healthcare cybersecurity failures, a trend underscored by high-profile cases like Solara Medical Supplies. Solara’s 2019 phishing incident, often cited as one of the industry’s early warning signs, resulted in a $9.76 million class action settlement and an additional $3 million OCR settlement in 2024.
It signals that both courts and federal regulators were willing to impose steep penalties when organizations failed to protect patient data. Dakota Eye Institute’s agreement to a $1 million class action settlement in December 2025 reflects the continuation of that trajectory.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Ordinary losses refer to smaller, routine expenses like bank fees, monitoring costs, or time spent remedying fraud, often capped at around $500–$1,000. Extraordinary losses are major financial impacts tied to identity theft or fraud and allow higher compensation, often requiring documentation.
Companies often settle because litigation costs, reputational risks, and the uncertainty of a jury verdict outweigh the price of settlement.
No. Most settlements, including Dakota Eye Institute’s, expressly deny liability.