General Physician, P.C. has agreed to pay $2.5 million to resolve a class action lawsuit related to a 2024 cybersecurity incident that exposed patient information stored in its systems.
Incident Timeline and Unauthorized Access
The cybersecurity incident involved unauthorized access to the organization’s email environment between April 6, 2024, and June 12, 2024. Suspicious activity within the email environment was detected on June 12, 2024. A forensic investigation determined that an unauthorized third party had access to the system during that time period.
The incident exposed patient information that was stored in the affected environment. The compromised information included full names, addresses, Social ohySecurity numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating doctor names, medical record numbers, and medical insurance details.
The breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights using an initial placeholder estimate of 501 affected individuals. That figure was later updated to 167,387 individuals whose protected health information (PHI) may have been compromised.
Litigation and Consolidation of Claims
Multiple class action lawsuits were filed after the breach became known. The lawsuits were consolidated under the case Newhart v. General Physician, P.C. filed in the Supreme Court of the State of New York, County of Erie.
The plaintiffs claimed that General Physician did not implement reasonable and appropriate cybersecurity safeguards to protect sensitive patient data stored within its systems as required of HIPAA-certified entities. The company denied liability and denied wrongdoing.
Following mediation and negotiations between the parties, a settlement agreement was reached to resolve the litigation.
Settlement Fund and Compensation Structure
The settlement agreement establishes a $2,500,000 fund that will be used to pay class members after deductingg attorneys’ fees, litigation expenses, settlement administration costs, and service awards for class representatives.
The settlement class includes approximately 490,210 individuals residing in the United States whose private information may have been accessed or acquired by an unauthorized party during the incident reported in October 2024.
Eligible individuals may submit claims for benefits through the settlement program. Claim options include reimbursement for documented losses related to the data incident up to $5,000 per person. An alternative cash payment option is available for individuals who do not submit documentation of losses, with estimated payments of approximately $60 depending on the number of valid claims submitted.
Settlement class members may also request enrollment in credit monitoring and medical data monitoring services for two years. These services include monitoring of credit activity and medical identity information.
