In March 2022, Shields Healthcare Group, a Massachusetts-based medical imaging provider operating 30 facilities across New England, experienced a significant data breach. Now, following a lawsuit, the company has reached a settlement.
What happened
According to Shields’ breach notice and consolidated legal complaints, the hackers maintained uninterrupted access for at least two weeks, during which they exfiltrated sensitive information belonging to nearly 2.4 million individuals. The compromised data included protected health information (PHI) and personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, insurance details, billing records, and medical and treatment information.
The exposed data was allegedly offered for sale on illicit platforms by cybercriminals. This breach led to multiple lawsuits filed in 2022, which were later consolidated into two class action cases. On May 21, 2025, a federal judge in Boston granted preliminary approval for a $15.35 million settlement. Although Shields Healthcare Group denied any wrongdoing or liability, it agreed to the settlement and committed to further investments in cybersecurity measures and IT staffing to mitigate future risks.
In the know: Federal settlement decisions
Federal judges approve class‐action settlements under Rule 23 of the Federal Rules of Civil Procedure only if they find them fair, reasonable, and adequate for all class members. In Shields’ case, Judge Finkelstein reviewed the evidence of a network intrusion from March 7 through March 21, 2022, that exposed protected health information for nearly 2.4 million patients.
He weighed the plaintiffs’ claims that Shields violated HIPAA’s Security and Breach Notification Rules (45 C.F.R. § 164.400 et seq) by allowing weeks of unauthorized access and delaying patient notice, against Shields’ denials of liability and the costs and uncertainties of a trial.
Finding that the proposed $15.35 million fund would provide meaningful relief and that plaintiffs’ counsel negotiated it at arm’s length with proper documentation of attorneys’ fees, the judge gave preliminary approval on May 21, 2025. His decision reflects a balance between enforcing federal data‑privacy standards and avoiding the delays and expense of continued litigation.
What was said
According to the settlement, “Since the Incident, Defendant has invested significantly in remediation, cybersecurity enhancements, and expansion of its IT workforce (“Data Security Enhancements”), and has committed to maintaining those investments and measures for the foreseeable future, details of which were confidentially shared with Plaintiffs’ Counsel during settlement negotiations.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a healthcare data breach?
A healthcare data breach occurs when unauthorized individuals gain access to protected health information (PHI) or personally identifiable information (PII).
Can a company be held liable even if it denies wrongdoing?
Yes. In many settlements, including Shields’, the company may deny liability but agree to settle to avoid lengthy litigation. The court can still approve the settlement if it provides fair and reasonable compensation to affected individuals.
What constitutes a breach under HIPAA?
A breach is defined as unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the privacy or security of the information. Unless you can demonstrate a low probability of compromise through a risk assessment, the incident is presumed to be a breach.
Kirsten Peremore
