Patients affected by an email breach at the Neuromusculoskeletal Center of the Cascades can now file for compensation and monitoring services.
Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle a class action lawsuit related to a data breach that occurred in October 2023. During the incident, unauthorized actors accessed employee email accounts over a two-day period, compromising sensitive patient and employee data.
The compromised information included names, contact details, dates of birth, Social Security numbers, driver's license or state ID numbers, financial data, medical records, health insurance information, and digital signatures. The breach affected 22,796 individuals, with 19,373 potentially having their protected health information (PHI) exposed.
Following the breach, notification letters were mailed to affected individuals on December 1, 2023. Two lawsuits filed separately by Krysta Hakkila and Ida Vetter were consolidated into one case in Oregon’s Deschutes County Circuit Court.
The plaintiffs alleged that the medical center failed to implement reasonable data security practices, bringing claims including negligence, unjust enrichment, invasion of privacy, and violations of Oregon consumer protection laws. The defendants deny wrongdoing but agreed to a settlement to avoid litigation costs.
The proposed settlement, now preliminarily approved by the court, offers the following benefits to affected individuals:
The deadline to submit claims is December 26, 2025, with a final approval hearing scheduled for January 9, 2026. Those wishing to object or exclude themselves from the settlement must do so by November 25, 2025.
According to Paubox’s 2025 Mid-Year Email Breach Data Reveals There’s No Slowing Down report, healthcare email systems continue to represent a major cybersecurity weakness. In the first half of 2025 alone, 107 email-related breaches were reported to the HHS Office for Civil Rights, impacting 1.65 million individuals, an average of 16,000 records per incident.
The report found that 81% of those breaches were categorized as hacking or IT incidents, and 16% involved business associates, proving how vendor and employee email compromises remain a top attack vector. The Oregon Medical Center case fits squarely into this trend, illustrating how even short-lived access to employee inboxes can expose thousands of patient records and trigger costly litigation.
Email accounts often store unencrypted PHI, billing data, and internal communications. Attackers exploit weak passwords or unprotected remote access to gain quick lateral movement inside healthcare networks.
Timely multifactor authentication rollout, restricted PHI transmission through email, and automated anomaly detection could have reduced exposure and accelerated containment.
Organizations should document encryption standards, retention policies, and access logs. Independent audits or tabletop exercises can confirm that detection, isolation, and notification steps align with HIPAA and state breach-response timelines.
Providers should treat email as a high-risk system, applying data-loss prevention, role-based permissions, and employee phishing simulations. Fast forensic response and transparent communication can mitigate both reputational and legal damage.
Maintaining a tested incident-response plan, routinely auditing vendor email integrations, and demonstrating continuous security improvement rather than one-time compliance can greatly reduce class-action vulnerability.