A Minnesota-based health provider will pay out a class action settlement after hackers accessed personal and medical data of 67,000 individuals.
Fraser Child and Family Center has agreed to a $750,000 settlement to resolve class action litigation related to a data breach that occurred between May 30 and June 2, 2024. The incident involved unauthorized access to portions of Fraser’s IT environment containing protected health information (PHI) for around 67,000 individuals. Affected data included names, addresses, birth dates, Social Security numbers, and medical details. Individuals were notified in September 2024.
The lawsuit, In re: Fraser Child and Family Center, was filed in Hennepin County District Court after four separate plaintiffs, representing themselves and their minor children, filed overlapping claims that were consolidated into one case.
The plaintiffs alleged negligence, breach of contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and failure to provide timely breach notifications. While Fraser denied any wrongdoing and sought dismissal, the parties opted for early resolution. A settlement agreement was reached and has received preliminary court approval.
Following detection of the breach, Fraser immediately isolated affected systems and engaged external cybersecurity experts to investigate. The forensic review confirmed unauthorized access during a short window between May 30 and June 2, 2024, but found no evidence of data misuse.
Fraser has since implemented additional safeguards to secure its systems, including enhanced access controls, multi-factor authentication, and continuous monitoring tools to detect suspicious network activity. The $750,000 fund will cover legal fees, administration costs, service awards, and benefits for class members.
Fraser has not admitted to any liability and has issued no public statement on the matter. The early resolution suggests a strategic choice to limit prolonged legal exposure while offering remedies to those affected.
According to Bloomberg Law, “companies managing health data are witnessing an uptick in cyberattacks” and those that fall victim are also facing a “surge in litigation costs.” The publication’s analysis found that “the monthly average of class actions over health data breaches this year has skyrocketed, nearly doubling the rate from 2022,” based on 557 complaints filed in federal courts over the past five years. These lawsuits, which often involve “civil damages amounting to millions,” reflect how ransomware, breach notification rules, and a more privacy-aware public are driving a sharp increase in legal action. The U.S. Department of Health and Human Services’ Office for Civil Rights has also recorded a parallel rise in healthcare cyber incidents, showing that for providers like Fraser, the cost of a breach extends far beyond technical recovery to include mounting legal and regulatory risks.
Fraser resolved the lawsuit early, before federal involvement, showing how state-level litigation can still lead to great financial exposure for mid-sized providers.
It signals that smaller organizations handling children’s data are now under the same legal pressure as hospitals to maintain continuous breach monitoring and rapid notification processes.
The gap between the breach (June 2024) and notification (September 2024) raised claims that Fraser did not meet HIPAA’s 60-day disclosure window, an area regulators are watching closely.
Audit logs, access reviews, and encryption of PHI at rest and in transit were central issues. Strengthening these controls helps prevent similar credential-based intrusions.
Tools that detect abnormal login behavior and enforce encrypted communication can limit unauthorized access, often preventing the kind of exposure that leads to class-action claims.