Patients affected by the breach may be eligible for cash payments or reimbursement of documented expenses.
MedStar Health has agreed to a $1.35 million settlement to resolve a class action lawsuit stemming from a 2023 data breach that impacted over 183,000 individuals. The breach occurred between January 25 and October 18, 2023, when unauthorized access was gained to the email accounts of three MedStar employees. Sensitive patient data, including protected health information (PHI), was exposed. Notifications were sent to affected individuals on May 4, 2024.
Following the breach disclosure, six class action lawsuits were filed and later consolidated into a single case in the U.S. District Court for the District of Maryland. Plaintiffs claimed MedStar failed to implement reasonable data protection safeguards.
MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., operates across 120 entities, including 10 hospitals. Though the organization denies wrongdoing, it agreed to settle to avoid prolonged litigation and associated costs.
The $1.35 million fund will cover up to $450,000 in legal fees, $250,000 in administrative costs, and $2,500 payments to each of the six named plaintiffs. The remaining amount will be used to compensate class members and cover medical data monitoring expenses.
Eligible individuals, those who were notified their information was exposed during the breach period can file a claim for up to $5,000 in documented losses or opt for a cash payment, currently estimated at $100, along with one year of medical data monitoring.
MedStar Health has not admitted to any liability or legal violations. The organization maintains that its systems and protocols were reasonable but agreed to the settlement as a practical resolution. The settlement received preliminary court approval, and the final fairness hearing is scheduled for November 4, 2025.
Class members have until September 14, 2025, to opt out or object, and until October 14, 2025, to file claims.
Any current or former MedStar Health patient or employee who received a notification that their personal data was exposed between January 25 and October 18, 2023.
Claimants can choose between a reimbursement of documented out-of-pocket losses (up to $5,000) or a flat cash payment (estimated at $100), plus one year of healthcare data monitoring.
Eligible individuals will need to submit a claim form online or by mail. Instructions are typically included in the notification letter or available through the settlement administrator.
Yes. The $100 cash estimate may increase or decrease depending on how many valid claims are submitted.
The court will decide whether the settlement is fair, reasonable, and adequate. If approved, payments will be distributed to valid claimants and the settlement terms will take effect.