Hypertension Nephrology Associates Settles its Data Breach Lawsuit for $625,000

by Ryan Coyne | Dec 21, 2025

Hypertension Nephrology Associates (HNA) located in Willow Grove, Pennsylvania, decided to pay $625,000 to resolve a class action lawsuit associated with a January 2024 data breach. HNA discovered the unauthorized system access on February 6, 2024 after finding a ransom note. A ransomware actor gained access to its network, then stole 39,491 patients’ personal data and protected health information (PHI), which include medical and financial data. As a HIPAA-covered entity, HNA sent notifcation letters to the affected persons on May 17, 2024.

In response to the lawsuit, plaintiff Patricia Kidwell submitted a lawsuit in the Court of Common Pleas of Montgomery County, Pennsylvania. The Kidwell v. Hypertension Nephrology Associates, P.C. lawsuit alleges that the attack and data breach were a result of the defendant’s inability to use appropriate security protections, which violates the HIPAA Security Rule. The lawsuit likewise stated that the defendant was two-weeks late in identifying the data breach and then postponed sending breach notifications for three months, which violates the HIPAA Breach Notification Law. HNA provided the affected persons with free credit monitoring services for 12 months, which the plaintiff stated was totally insufficient.

The lawsuit mentioned claims of invasion of privacy, negligence, breach of implied contract, negligence per se, and unjust enrichment. HNA rejects all claims and maintains no wrongdoing. Soon after the filing of the lawsuit, the plaintiff and defendant decided to negotiate an early resolution of the lawsuit. The mediation resulted in a settlement that both parties deemed acceptable.

HNA will create a $625,000 settlement fund to pay for attorneys’ fees and expenditures, settlement management expenses, and class representative awards. The fund will also cover the class members’ benefits. Class members may file a claim to refund documented, unreimbursed out-of-pocket expenses up to $5,000 for each class member. Otherwise, class members may claim a one-time cash payment. The cash payment amount will depend on how many valid claims are received. Irrespective of the option selected, all class members may likewise avail the credit monitoring and insurance services for two years. The last day to submit a claim is January 20, 2026. The final fairness hearing will be held on February 18, 2026.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter