2 min read

Watson Clinic reaches $10M settlement after 2024 cyberattack

Kirsten Peremore Nov 21, 2025 4:50:51 PM

News

Watson Clinic reaches $10M settlement after 2024 cyberattack

Watson Clinic agreed on November 20, 2025, to a $10 million settlement to resolve the consolidated class action lawsuit Viviani v. Watson Clinic, LLP, which stemmed from litigation filed by plaintiffs Charles Viviani and David Thorpe in the U.S. District Court for the Middle District of Florida.

What happened

The settlement followed more than a year of legal activity and was reached despite Watson Clinic’s firm denial of all wrongdoing, liability, or negligence. According to court filings, the decision to settle was driven by the high cost, length, and uncertainty of continued litigation. Under the agreement, Watson Clinic will establish a $10,000,000 fund that covers attorneys’ fees, administrative costs, service awards to the named plaintiffs, and financial relief for affected patients.

The settlement provides unusually high compensation in comparison to similar cases, with automatic cash payments of up to $75,000 for individuals whose sensitive medical images were posted on the dark web, and additional claim-based reimbursements for ordinary or extraordinary losses. Key deadlines include January 6, 2025, for objections and exclusions, February 5, 2025, for submitting claims, and a final fairness hearing scheduled for March 9, 2025.

The backstory

Hackers first infiltrated Watson Clinic’s network on January 26, 2024, slipping in undetected and moving quietly through systems that supported one of Florida’s largest multispecialty medical groups. The attackers were able to access files containing highly sensitive patient information, including medical records and even medically necessary pre- and post-operative images, some of which were later leaked to the dark web.

Watson Clinic did not discover the intrusion until February 6, 2024, when unusual network activity triggered an internal investigation and the clinic brought in external forensic specialists. Over the following months, investigators traced the timeline of the breach, identified the compromised systems, and reviewed hundreds of thousands of files to determine what had been exposed.

Watson Clinic received the full results of this review in July 2024 and publicly announced the data breach in August 2024, notifying more than 280,000 current and former patients that their personal and medical information had been stolen.

What was said

According to the notice of security incident, “With the exception of files containing details about one individual, who we previously notified, we have not been able to confirm whether the unauthorized third party actually viewed or acquired the files containing personal information or protected health information. But, because the unauthorized third party potentially accessed those files, we are providing this notice out of an abundance of caution.”

The big picture

The HHS Office for Civil Rights (OCR) issued some of its largest penalties ever this year, with fines ranging from $80,000 to more than $9 million for failures such as unenforced email encryption, inadequate security controls, and missing risk analyses. These enforcement actions reflect a clear trend toward harsher consequences for preventable cybersecurity weaknesses.

At the same time, IBM reports that the average cost of a healthcare data breach in 2025 has reached $11 million, the highest of any industry for the 14th year running, due to a combination of class action litigation, regulatory fines, forensic investigations, downtime, and reputational harm. In this broader context, Watson Clinic’s $10 million payout sits almost exactly in line with the national averages and enforcement patterns.