Data breach lawsuit: Robeson Health Care to pay $750K

Robeson Health Care will pay $750,000 to settle a lawsuit over a 2023 data breach that exposed the sensitive health information of more than 62,000 patients.

What happened

Robeson Health Care Corporation, an integrated health provider based in Pembroke, North Carolina, has agreed to a $750,000 settlement following a class action lawsuit over a February 2023 cyberattack. The breach exposed the protected health information (PHI) of 62,627 individuals. Affected patients were notified starting April 21, 2023, two months after the attack occurred.

Going deeper

Hackers accessed Robeson’s network around February 21, 2023, potentially acquiring a wide range of PHI. Compromised data included names, birth dates, Social Security numbers, diagnoses, treatment records, prescription details, Medicare/Medicaid numbers, and health insurance information.

Three lawsuits were filed in federal court in North Carolina by plaintiffs Julianna McKenzie, Judith Hammonds, and Ronnie McGriff. The complaints alleged Robeson failed to implement adequate cybersecurity safeguards, citing negligence and a failure to prevent unauthorized access to sensitive health data. Robeson denies all claims but opted to settle in order to avoid extended legal proceedings. The settlement has received preliminary approval from the Superior Court in Robeson County.

What was said

While Robeson Health Care Corp. has not admitted fault, the parties agreed the settlement is fair and avoids the costs and delays of continued litigation. Each of the three plaintiffs will receive a $1,500 service award, while attorneys’ fees have been capped at $250,000.

Class members can claim up to $2,500 for documented, unreimbursed expenses tied to the breach or opt for a $50 cash payment, depending on claim volume. Additionally, affected individuals may receive two years of credit monitoring services. 

FAQs

Why did Robeson choose to settle if it denies wrongdoing?

Settling allowed Robeson to avoid prolonged litigation costs and reputational damage, which is common in breach cases even when liability is disputed.

What types of harm are patients being compensated for?

The settlement covers financial losses, time spent dealing with the breach, and potential future risks like identity theft or fraud due to leaked health data.

Is this settlement typical for a breach of this size?

Yes. Settlements under $1 million are common for mid-sized breaches involving under 100,000 records, though larger breaches often result in much higher penalties.

Does this affect Robeson’s legal liability going forward?

The settlement resolves this specific case, but Robeson could still face regulatory scrutiny or further litigation if additional issues come to light.

What does this case signal to other healthcare providers?

It reinforces the legal expectation that providers must proactively secure patient data or face costly consequences when they fail.