A federal court has approved a multi-million dollar settlement in response to HCA’s 2023 data breach affecting over 11 million patients.
What happened
HCA Healthcare Inc. has reached a settlement agreement to resolve class action litigation linked to a July 2023 data breach that impacted 11,270,000 individuals across 20 U.S. states. Hackers accessed an external storage system used to automate email formatting and stole a database containing 27.7 million records. When HCA refused to pay a ransom, the stolen data was offered for sale.
The compromised information included names, contact details, birth dates, and appointment details. The breach was announced around July 10, 2024, and legal action followed swiftly. A total of 27 lawsuits were consolidated into a single case in the U.S. District Court for the Middle District of Tennessee.
Going deeper
Though HCA Healthcare denies the allegations of negligence, the company opted to settle without admitting liability. While the full settlement amount remains undisclosed, plaintiffs’ attorneys are eligible to claim up to $3.1 million in legal fees. Given that attorney fees typically represent one-third of a settlement fund, the total payout likely exceeds $9 million. Each of the 15 class representatives will receive up to $5,000 in service awards.
Class members will be compensated after deductions for legal fees, administrative costs, and awards. They are also eligible for:
-
A one-year membership to credit and identity theft protection services, which includes a $1 million insurance policy
-
Reimbursement for documented financial losses related to the breach, up to $5,000 per person
Additionally, HCA Healthcare has committed to implement and maintain enhanced data security measures for at least two years following the settlement. The details of those commitments remain sealed.
The big picture
HCA Healthcare has agreed to a proposed class action settlement in the In re HCA Healthcare, Inc. Data Security Litigation, currently pending in the U.S. District Court for the Middle District of Tennessee. According to the settlement website, “A Court authorized this website, to those that are eligible to receive Settlement Benefits from a proposed class action Settlement” involving HCA Healthcare. While continuing to deny wrongdoing, HCA said it reached the settlement to resolve the matter efficiently and confirmed plans to strengthen its cybersecurity to prevent future incidents. The settlement offers benefits, reimbursements, and security improvements that plaintiffs’ legal teams call a fair and reasonable outcome for class members.
FAQs
How will I know if I’m part of the settlement class?
You should receive a notification if your data was part of the compromised records. You can also visit the official settlement website (once published) to confirm eligibility and file a claim.
What happens if I don’t file a claim?
If you do not file a claim by September 25, 2025, you may forfeit your right to reimbursement and credit protection benefits, though the settlement’s terms may still bind you.
Can I opt out or object to the settlement?
Yes. The deadline to exclude yourself or object is August 25, 2025. Instructions for doing so will be included in the class notice or on the settlement website.
What types of financial losses are eligible for reimbursement?
Class members can claim up to $5,000 for documented, unreimbursed losses that can be reasonably linked to the data breach, such as fraudulent charges or costs for identity restoration.
What kind of security changes will HCA make?
HCA has committed to adopting and maintaining specific cybersecurity measures for at least two years. The full list of actions has been filed under seal and is not publicly disclosed.
Farah Amod
