A 2023 data breach at East Carolina Health led to legal action and a settlement affecting nearly 20,000 individuals.
East Carolina Health (EC Health) has reached a $250,000 settlement in a class action lawsuit stemming from a data breach at the Brody School of Medicine, part of East Carolina University. The breach, discovered in December 2023, involved protected health information (PHI) that was mistakenly made available to students, employees, and certain clinicians who did not need access.
The exposed data included names, health insurance details, and diagnostic or clinical information. The breach occurred between July 2022 and January 2024, and affected individuals were notified on February 20, 2024. In April, a lawsuit was filed in North Carolina’s Pitt County Superior Court on behalf of affected patients.
The lawsuit, Kaitlyn Hill v. East Carolina Health, alleged EC Health failed to implement reasonable safeguards for PHI, causing harm to affected individuals. While HIPAA does not permit individuals to sue for violations directly, the case was built on claims of negligence and other legal violations linked to HIPAA obligations.
Claims included breach of implied contract, unjust enrichment, and violations of state privacy and consumer protection laws. The lawsuit argued that plaintiffs faced diminished data privacy, increased risk of identity theft, and significant inconvenience.
Although EC Health denies wrongdoing, the organization agreed to settle to avoid further litigation costs and risks. The $250,000 fund will cover attorney fees (estimated at $83,325), a $2,500 service award for the lead plaintiff, administrative costs, and individual compensation.
Class members can claim up to $100 in documented out-of-pocket expenses or opt for a $100 flat cash payment, subject to proration depending on total claims. The settlement received preliminary court approval.
HIPAA does not allow individuals to sue for violations. Instead, lawsuits like this rely on related legal claims based on duties established under HIPAA.
A service award compensates the named plaintiff for their time, effort, and risk in representing the class throughout the legal process.
If the number of valid claims exceeds the fund available, the $100 payments will be reduced proportionally to ensure all claimants receive some compensation.
Yes, even though the data was not shared externally, the exposure increased the risk of identity theft or misuse, which is part of the plaintiffs’ argument in the case.
Implementing strict role-based access controls, regular data audits, and staff training on information privacy are key ways to minimize unintentional data exposure.