The imaging provider agreed to resolve claims after a 2022 cyber incident exposed personal and medical information.
Precision Imaging Centers said it detected a network intrusion on November 2, 2022, in which an attacker accessed files containing personal and medical information for more than thirty thousand current and former patients. The data included names, contact details, dates of birth, Social Security numbers, driver’s license numbers, and certain medical information. Notification letters were mailed in June 2023 after the investigation confirmed which individuals were affected.
Multiple lawsuits were filed in response to the breach and later consolidated in a Florida state court under a single complaint. Plaintiffs alleged that the organization did not maintain adequate safeguards and that stronger technical controls could have prevented the intrusion. The claims included negligence, breach of implied contract, and breach of fiduciary duty. Precision Imaging Centers denied wrongdoing and moved to dismiss the case, though the court allowed the core claims to proceed. The parties later reached a mediation agreement to resolve the matter without further litigation, and the settlement has received preliminary approval.
Precision Imaging Centers stated that the settlement does not represent an admission of fault and that it continues to maintain measures intended to protect patient information. Plaintiffs argued that the breach created risks of identity theft and improper use of medical data and noted that costs incurred by affected individuals should be reimbursed. Under the settlement framework, class members may seek repayment for documented losses and lost time and may access credit monitoring services. The agreement also includes commitments by the provider to implement security improvements and adjust data retention practices moving forward.
Healthcare organizations continue to settle breach litigation tied to older cyber incidents as courts weigh how well providers protected patient information and communicated with individuals after detection. Recent enforcement actions show the scrutiny these cases attract; OCR determined in one matter that a hospital system had violated HIPAA because it “failed to provide timely and accurate notification of a breach of unsecured PHI,” had not conducted an “enterprise-wide security risk assessment,” had not “managed identified risks to a reasonable and appropriate level,” and lacked required access and audit controls. Cases like the Precision Imaging Centers breach mirror the same pattern, with organizations adopting longer-term security and compliance programs as litigation progresses.
Imaging providers store large volumes of diagnostic data and personal identifiers, and they often integrate multiple systems to manage scheduling, imaging workflows, and patient communications.
They may seek repayment for documented expenses related to fraud prevention or remediation and can sometimes claim compensation for time spent addressing breach impacts.
Courts often permit negligence-based claims to move forward when plaintiffs allege that stronger security practices could have prevented or reduced the impact of a breach.
They can review access controls, update legacy systems, encrypt stored data, and perform regular testing of their security configurations.
It allows affected individuals to track activity across credit files and receive alerts for unfamiliar accounts or inquiries that could signal misuse of stolen identifiers.