Patients and employees affected by a 2023 ransomware attack can now claim compensation or credit monitoring as part of a court-approved settlement.
Morris Hospital & Healthcare Centers has agreed to pay $1,361,571.77 to settle a consolidated class action lawsuit stemming from an April 2023 data breach that exposed the personal and health information of nearly 249,000 individuals. The Royal ransomware group was behind the attack and later leaked the stolen data online.
The exposed data included information on current and former patients, employees, and their dependents. Lawsuits followed, alleging Morris Hospital failed to safeguard sensitive data. These cases were merged into a single proceeding in the Illinois state court.
The consolidated lawsuit, In re: Morris Hospital Data Breach Litigation, claimed negligence, breach of fiduciary duty, breach of implied contract, and violations of state consumer protection laws. Morris Hospital has denied any wrongdoing but agreed to the settlement to avoid the costs and risks of prolonged litigation.
The court has granted preliminary approval of the settlement. A final fairness hearing is scheduled for October 24, 2025. After legal fees and administrative costs are deducted, the remaining funds will be used to compensate affected individuals.
Eligible class members can receive:
While Morris Hospital continues to deny liability, the parties agreed the settlement was a fair outcome given the uncertainty and cost of continuing with litigation. The settlement does not constitute an admission of fault.
Individuals who wish to opt out or object to the settlement have until September 29, 2025. Claims for benefits must be submitted no later than October 28, 2025, via www.morrishospitalsettlement.com.
The Morris Hospital settlement shows the financial and reputational risks of data breaches. Beyond direct remediation costs, organizations may face class action exposure, even if no proven misuse of data occurs.
For organizations, the pro rata payout shows how unpredictable breach liability can be. Claim volumes determine costs, which means financial exposure is not always capped or predictable. This shows risk transfer through cyber insurance and incident response planning.
Many settlements include reimbursement for out-of-pocket costs and identity protection. Companies should be prepared that regulators and courts now view these as baseline remedies, not optional goodwill.
No. While consumers must elect one option, companies should note that providing layered remedies (cash and services) is increasingly demanded in negotiations. Planning settlement budgets should account for these expectations.
Delays or inadequate responses can lead to higher settlement costs and loss of goodwill. Inaction can also weaken a legal defense against negligence claims.