A major data breach settlement in the U.S. healthcare sector is drawing attention to the growing legal and financial risks associated with cybersecurity lapses. Cardiovascular Consultants, a healthcare provider based in Arizona, has agreed to pay $3.85 million to resolve a class action lawsuit related to a 2023 cyberattack, which compromised the sensitive patient data of about 484,000 individuals. The breach was found on September 29, 2023, although forensic investigators later determined that unauthorized access to the organization’s network had occurred two days earlier. A threat actor infiltrated the system, exfiltrated sensitive files, and subsequently deployed ransomware to encrypt data during this time. This combination of data theft and system disruption reflects a common and increasingly damaging pattern in the modern cyberattacks targeting healthcare organisations.
The exposed data was highly sensitive and extensive in scope. It involved personally identifiable information like names, addresses, date of birth, social security numbers, and driver’s license or state ID numbers. The compromised files also contained medical and insurance-related information, which included diagnosis and treatment details, policy data, and guarantor information. Emergency contact details and billing records were also affected, amplifying the potential risk of identity theft, financial fraud, and medical identity misuse for those impacted. Notification letters were not sent to affected individuals until December 2, 2023, despite the breach being detected in late September. This delay became a central issue in subsequent legal action, as plaintiffs argued that the organization failed to provide timely notice, limiting individuals’ ability to take prompt protective measures.
The lawsuit was originally filed in December 2023 by Georgios Asimakopoulos and Michele Stroup, with additional individuals later joining as class representatives. The complaint alleged many legal violations, which include negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and invasion of privacy. It also cited violations of the Arizona Consumer Fraud Act. At the heart of the case were claims that Cardiovascular Consultants failed to implement adequate cybersecurity safeguards and did not respond appropriately after the breach was discovered.
Cardiovascular Consultants denied all allegations and moved to dismiss the case. While the court partially granted this motion, key elements of the lawsuit were allowed to proceed. An amended complaint remains pending in the Superior Court of Arizona, which highlights the complexity of the legal proceedings. Ultimately, the parties agreed to resolve the dispute by mediation, avoiding the prolonged costs and uncertainty linked to a trial. The $3.85 million settlement fund will cover legal fees, administrative costs, and service awards for class representatives, with the remaining funds distributed to affected individuals.
Under the terms of the settlement, class members are eligible for two years of medical monitoring services, a common remedy in data breach cases designed to help individuals detect potential misuse of their information. Individuals may submit claims for reimbursement of documented out-of-pocket expenses related to the breach for up to a maximum of $5000 per person. In addition, class members may receive a pro rata cash payment, estimated at around $75, although the final amount will depend on the number of valid claims submitted.
The settlement has received preliminary court approval with a final fairness hearing set for August 18, 2026. Key deadlines have been established for those affected: individuals must submit objections or opt out of the settlement by June 1, 2026, and claims must be filed by July 1, 2026. This case highlights the increasing legal scrutiny faced by healthcare organizations following data breaches, particularly when sensitive medical and personal data are involved. It underscores the importance of robust cybersecurity measures, timely breach detection, and transparent communication with affected individuals.
As cyber threats continue to rise, healthcare providers remain prime targets due to the high value of medical data. This settlement serves as a reminder that, beyond operational disruption, data breaches can lead to significant financial penalties and reputational damage. For patients, it reinforces the need for vigilance in monitoring personal and medical information after such incidents.
Reference: Alder S. Cardiovascular Consultants pays $3.85M to settle data breach litigation. HIPAA Journal. Published April 2, 2026. Accessed April 6, 2026. Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation
