Patients affected by the breach may be eligible for cash payments or reimbursement of documented expenses.
What happened
MedStar Health has agreed to a $1.35 million settlement to resolve a class action lawsuit stemming from a 2023 data breach that impacted over 183,000 individuals. The breach occurred between January 25 and October 18, 2023, when unauthorized access was gained to the email accounts of three MedStar employees. Sensitive patient data, including protected health information (PHI), was exposed. Notifications were sent to affected individuals on May 4, 2024.
Following the breach disclosure, six class action lawsuits were filed and later consolidated into a single case in the U.S. District Court for the District of Maryland. Plaintiffs claimed MedStar failed to implement reasonable data protection safeguards.
Going deeper
MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., operates across 120 entities, including 10 hospitals. Though the organization denies wrongdoing, it agreed to settle to avoid prolonged litigation and associated costs.
The $1.35 million fund will cover up to $450,000 in legal fees, $250,000 in administrative costs, and $2,500 payments to each of the six named plaintiffs. The remaining amount will be used to compensate class members and cover medical data monitoring expenses.
Eligible individuals, those who were notified their information was exposed during the breach period can file a claim for up to $5,000 in documented losses or opt for a cash payment, currently estimated at $100, along with one year of medical data monitoring.
What was said
MedStar Health has not admitted to any liability or legal violations. The organization maintains that its systems and protocols were reasonable but agreed to the settlement as a practical resolution. The settlement received preliminary court approval, and the final fairness hearing is scheduled for November 4, 2025.
Class members have until September 14, 2025, to opt out or object, and until October 14, 2025, to file claims.
FAQs
Who qualifies as a class member in this settlement?
Any current or former MedStar Health patient or employee who received a notification that their personal data was exposed between January 25 and October 18, 2023.
What is the difference between the two available claims?
Claimants can choose between a reimbursement of documented out-of-pocket losses (up to $5,000) or a flat cash payment (estimated at $100), plus one year of healthcare data monitoring.
What is the process to file a claim or opt out?
Eligible individuals will need to submit a claim form online or by mail. Instructions are typically included in the notification letter or available through the settlement administrator.
Can the cash payment amount change?
Yes. The $100 cash estimate may increase or decrease depending on how many valid claims are submitted.
What happens at the final fairness hearing?
The court will decide whether the settlement is fair, reasonable, and adequate. If approved, payments will be distributed to valid claimants and the settlement terms will take effect.
Farah Amod
