Boston Children’s Health Physicians (BCHP) and ATSG Inc. based in Valhalla, NY, have consented to pay $5,150,000 to resolve a class action litigation associated with a cyberattack in September 2024. The resulting data breach affected roughly 918,000 people. This multi-specialty pediatric group serves newborns and children from Connecticut and New York.
BCHP learned on September 6, 2024 about a hacking incident involving unauthorized access to the networks of ATSG Inc. – now called XTIUM Inc., its managed services provider. Then, on September 10, 2024, the hacking group exploited the IT vendor’s access to compromise BCHP’s systems.
The Bianlian hacking group said it is behind the attack and accessed names, birth dates, addresses, Social Security numbers, driver’s license numbers, medical insurance data, billing details, medical record numbers, and limited treatment data. The breach report submitted to the HHS indicated that the protected health information (PHI) of 909,469 patients was compromised. Employee data with roughly 918,000 individuals was also compromised.
BCHP is facing five lawsuits that were filed because of the data security incident. The five lawsuits were combined into one, the Noni Wahab, et al. v. Boston Children’s Health Physicians, LLP and ATSG Inc. The lawsuit was filed in the Supreme Court of the State of New York, County of Westchester. The combined lawsuit alleged breach of implied contract, negligence, negligence per se, unjust enrichment, breach of third-party beneficiary contract, and a New York General Business Law violation.
The defendants do not admit any wrongdoing or liability; nevertheless, they opted to resolve the lawsuit to avoid lawsuit expenses, burden, and business operations interruption linked to ongoing litigation. The terms of the settlement require the defendants to create a $5,150,000 settlement fund to pay for attorneys’ fees (around $1,716,667), attorneys’ costs (not yet decided), class representatives service awards ($2,500 per named plaintiffs), credit monitoring costs (not yet decided), class members’ payments, and settlement administration fees (not yet decided).
Class members may avail either of the two cash payments available. Class members could file a claim to reimburse documented, unreimbursed expenses reasonably linked to the data breach ($5,000 maximum per class member). Otherwise, class members could opt for a pro rata cash payment that is computed after paying all expenses and claims. The cash payment is likely $100, though it could increase or decrease according to the number of eligible claims.
Besides a cash payment, class members can avail Cyex Medical Shield Medical Data Monitoring for two years, including medical identity tracking, real-time notifications, and an identity theft insurance plan worth $1 million. The court has given preliminary approval of the settlement. The schedule of the final fairness hearing is December 10, 2025. Class members who like to object to or be excluded from the settlement should do so on or before November 10, 2025. Claims should be filed by November 25, 2025. For more information regarding the settlement, visit bchpsettlement.com.