R1 RCM and Dignity Health settle data breach lawsuit for $675,000

The 2023 breach exposed sensitive patient data; affected individuals may now claim credit monitoring and compensation.

What happened

R1 RCM Inc. and Dignity Health’s St. Rose Dominican Hospital in Nevada have agreed to a $675,000 settlement to resolve a class action lawsuit stemming from a 2023 data breach. The breach, discovered on November 23, 2023, involved unauthorized access to R1 RCM’s systems and the exfiltration of sensitive patient data affecting 16,121 individuals.

Information accessed included names, contact details, birth dates, Social Security numbers, service locations, diagnosis information, and patient medical record numbers. The breach was reported to the U.S. Department of Health and Human Services’ Office for Civil Rights.

Going deeper

The lawsuit, Heather Hillbom v. R1 RCM, Inc. and Dignity Health, filed in April 2024 in the U.S. District Court for the District of Nevada, alleged that both defendants failed to use adequate safeguards to protect patient data. Though R1 RCM and Dignity Health deny any wrongdoing or liability, they chose to settle in order to avoid extended litigation.

Under the settlement terms, affected individuals are eligible for:

• Two years of identity theft protection and three-bureau credit monitoring via CyEx Medical Shield Total
• Monetary payments, calculated after deductions for legal and administrative costs
• Reimbursement for documented losses:
  • Up to $500 for ordinary out-of-pocket expenses
  • Up to $2,500 for extraordinary losses tied to fraud or identity theft
  •  

What was said

The defendants have not admitted to any fault but agreed to the settlement to resolve the matter efficiently. The settlement terms include provisions for service awards, attorney fees, and other associated legal costs before distributing payments to affected individuals.

A final court hearing to approve the agreement is scheduled for November 14, 2025. Individuals must file claims by November 11, 2025, and the deadline to object or opt out is October 13, 2025.

FAQs

How does this settlement affect healthcare organizations and their vendors?

The case proves the legal and financial risks associated with breaches involving business associates and covered entities. Even without admitting fault, both R1 RCM and Dignity Health faced litigation costs and a $675,000 payout, showing the need for rigorous vendor risk management and data security practices.

What lessons can healthcare providers and revenue cycle management (RCM) vendors draw from this breach?

Organizations must ensure business associates follow HIPAA security requirements and implement layered safeguards. A single vendor incident can expose both the associate and the healthcare provider to liability, reputational harm, and class action lawsuits.

Why is vendor oversight so critical in HIPAA compliance?

The breach stemmed from unauthorized access to R1 RCM’s systems, but Dignity Health was also named in the lawsuit. This reinforces that covered entities remain responsible for ensuring vendors with access to PHI maintain compliance through audits, contractual safeguards, and ongoing monitoring.

Does settling without admitting wrongdoing still have compliance implications?

Yes. While settlements often include “no admission of liability” language, the outcome still signals to regulators and industry peers that data security lapses can be costly. It also sets a precedent for future cases and may trigger more scrutiny from the Office for Civil Rights (OCR).

What proactive steps can organizations take to mitigate similar risks?

• Conduct regular vendor risk assessments
• Implement HIPAA compliant communication and data handling tools
• Require breach response and notification procedures in contracts
• Monitor third-party compliance continuously, not just at onboarding