Hospital Sisters Health System will pay affected patients and boost cybersecurity practices following a 2023 breach that exposed data of nearly 900,000 people.
What happened
Hospital Sisters Health System (HSHS), a Catholic hospital network operating 13 facilities across the Midwest, has agreed to a $7.6 million settlement to resolve class action litigation stemming from a cyberattack in August 2023. The breach impacted 882,782 individuals and involved unauthorized access to personal and health data.
Under the terms of the settlement, class members can submit claims for reimbursement of out-of-pocket losses. Additionally, HSHS will offer 24 months of complimentary credit and identity monitoring services to affected individuals.
Going deeper
The August 2023 breach involved unauthorized access to HSHS’s network between August 16 and August 27. Exposed data may have included names, addresses, birth dates, medical record numbers, insurance information, and, in some cases, Social Security numbers and driver's license numbers. HSHS said it took immediate action upon discovering the breach, engaged forensic investigators, and reported the incident to law enforcement.
As part of the settlement, HSHS has committed to implementing “remedial measures” to enhance its cybersecurity infrastructure. Details of these improvements have not been disclosed. The company denies all allegations of wrongdoing, negligence, or breach of contract.
Attorneys’ fees and settlement administration costs will be deducted from the total $7.6 million amount, leaving less than $5 million for actual compensation. A final hearing is scheduled for December 4 in Sangamon County, Illinois.
What was said
Attorney Paul Hales, who is not involved in the case, commented that this type of settlement has become typical in healthcare breach litigation. He noted that defendants often settle quickly with limited payouts while agreeing to strengthen security, a strategy he says HSHS used effectively. Hales added that while compensation is often small, the lasting benefit lies in improved data protection practices.
HSHS reiterated its denial of any liability in a public statement, noting that settlement notices were sent to potentially affected individuals in September and that its priority remains on delivering quality patient care.
The big picture
According to Paubox report data, the HSHS settlement comes amid rising breach costs across the healthcare sector, including the recent $9.76 million payout by Solara Medical Supplies. The report noted that HSHS’s plan to introduce “remedial measures” fits with OCR’s call for healthcare providers to strengthen cybersecurity before problems occur. Many organizations, Paubox said, only recognize weaknesses after an attack, showing that prevention isn’t just good practice, it’s both a legal and financial obligation.
FAQs
What is a pro-rated cash payment in a class action settlement?
It’s a portion of the remaining settlement fund distributed evenly among all claimants who do not submit documentation for larger out-of-pocket expenses.
Why do many healthcare breach lawsuits settle for relatively small individual payments?
Settlements often prioritize administrative efficiency and legal finality, resulting in modest individual payouts once legal fees and monitoring services are accounted for.
What are “remedial measures” in breach settlements?
These are internal policy and infrastructure changes that organizations agree to implement, such as improving network security, staff training, or incident response processes.
Why are multiple lawsuits sometimes consolidated into a single class action?
Consolidation streamlines legal proceedings, avoids duplication, and provides a unified resolution process for similar claims from multiple plaintiffs.
How does a breach settlement affect ongoing litigation?
Settling one case does not necessarily shield a company from other unrelated lawsuits. In HSHS’s case, it still faces separate class actions related to employment privacy and robocalls.
Farah Amod
