The 2023 breach exposed sensitive patient data; affected individuals may now claim credit monitoring and compensation.
R1 RCM Inc. and Dignity Health’s St. Rose Dominican Hospital in Nevada have agreed to a $675,000 settlement to resolve a class action lawsuit stemming from a 2023 data breach. The breach, discovered on November 23, 2023, involved unauthorized access to R1 RCM’s systems and the exfiltration of sensitive patient data affecting 16,121 individuals.
Information accessed included names, contact details, birth dates, Social Security numbers, service locations, diagnosis information, and patient medical record numbers. The breach was reported to the U.S. Department of Health and Human Services’ Office for Civil Rights.
The lawsuit, Heather Hillbom v. R1 RCM, Inc. and Dignity Health, filed in April 2024 in the U.S. District Court for the District of Nevada, alleged that both defendants failed to use adequate safeguards to protect patient data. Though R1 RCM and Dignity Health deny any wrongdoing or liability, they chose to settle in order to avoid extended litigation.
Under the settlement terms, affected individuals are eligible for:
The defendants have not admitted to any fault but agreed to the settlement to resolve the matter efficiently. The settlement terms include provisions for service awards, attorney fees, and other associated legal costs before distributing payments to affected individuals.
A final court hearing to approve the agreement is scheduled for November 14, 2025. Individuals must file claims by November 11, 2025, and the deadline to object or opt out is October 13, 2025.
The case proves the legal and financial risks associated with breaches involving business associates and covered entities. Even without admitting fault, both R1 RCM and Dignity Health faced litigation costs and a $675,000 payout, showing the need for rigorous vendor risk management and data security practices.
Organizations must ensure business associates follow HIPAA security requirements and implement layered safeguards. A single vendor incident can expose both the associate and the healthcare provider to liability, reputational harm, and class action lawsuits.
The breach stemmed from unauthorized access to R1 RCM’s systems, but Dignity Health was also named in the lawsuit. This reinforces that covered entities remain responsible for ensuring vendors with access to PHI maintain compliance through audits, contractual safeguards, and ongoing monitoring.
Yes. While settlements often include “no admission of liability” language, the outcome still signals to regulators and industry peers that data security lapses can be costly. It also sets a precedent for future cases and may trigger more scrutiny from the Office for Civil Rights (OCR).