Morris Hospital & Healthcare Centers decided to resolve a combined class action lawsuit that claimed negligence for not preventing a data breach in April 2023 that impacted 248,943 persons. The terms of the settlement agreement require Morris Hospital to create a $1,361,571.77 settlement fund for payment of attorneys’ fees, legal costs, and class members’ benefits.
In April 2023, Morris Hospital discovered unauthorized access to its system. Threat actors acquired access to the personal data and protected health information (PHI) of present and past patients, employees, as well as their dependents and beneficiaries. The cyberattack conducted by the Royal ransomware group involved the theft of patient data, which was posted on its data leak website. The data breach saw the filing of multiple class action lawsuits, which were combined into one lawsuit – In re: Morris Hospital Data Breach Litigation – filed in the Circuit Court of the Thirteenth Judicial Circuit, Grundy County, Illinois. Aside from negligence, the lawsuit stated claims of breach of fiduciary duty, negligence per se, unjust enrichment, breach of implied contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
Morris Hospital rejects all accusations of wrongdoing and liability, although the plaintiffs feel the claims are meritorious. All parties consented to settle the litigation, which was considered the best choice for all parties, taking into account the costs and risks of ongoing litigation. The court has given preliminary approval of the settlement. The schedule of the final fairness hearing is October 24, 2025. Class members’ benefits will be paid after deducting all costs and expenditures from the settlement fund, which includes approximately $453,857.26 in attorneys’ fees, attorneys’ expenses, settlement administration costs, and $2,000 service awards paid to the 13 plaintiffs.
All class members could file a claim for two years of identity theft protection and comprehensive credit monitoring services via CyEx Medical Shield Total. Additionally, class members may opt to file a claim to reimburse documented, out-of-pocket losses up to $5,000. If not filing a claim for losses, class members could alternatively claim a cash payment that is approximately $100, subject to the number of claims submitted. Objection to or exemption from the settlement can be submitted on or before September 29, 2025. The deadline to file a claim is October 28, 2025. For more details about the settlement, visit the website www.morrishospitalsettlement.com/
Cybersecurity awareness should be included in the HIPAA training of employees of covered entities like Morris Hospital
