Physician-owned radiology practice, Consulting Radiologists Ltd., decided to settle a class action data breach lawsuit. The provider offers medical imaging services to more than 100 healthcare facilities in Minnesota and the surrounding places.
Consulting Radiologists reported the data breach to the HHS’ Office for Civil Rights on June 14, 2024, indicating that up to 583,824 individuals’ protected health information (PHI) were affected. It identified the network intrusion on February 12, 2024. The investigation showed that an unauthorized third party accessed the system and potentially obtained patient data such as names, dates of birth, addresses, medical data, health insurance details, and the Social Security numbers of 19,346 persons.
In April 2024, Consulting Radiologists announced the data breach and mailed breach notification letters to the affected people. Immediately thereafter, a class action lawsuit was filed followed by an additional 18 complaints. District Court Judge Thomas Conley released an order to consolidate all lawsuits faced by Consulting Radiologists. On November 1, 2024, the consolidated lawsuit was submitted in the District Court of the 4th Judicial District Court of Hennepin County, Minnesota.
In re Consulting Radiologists Data Incident Lawsuit claimed the data breach was because of negligence and might have been avoided if acceptable and appropriate cybersecurity procedures were executed and maintained. The lawsuit alleged that Consulting Radiologists committed a violation of the HIPAA Guidelines, including the HIPAA Security Rule, because it did not correctly secure patient information and the HIPAA Breach Notification Guideline as a result of the delay in issuing breach notifications to the impacted people.
The lawsuit asserted the following claims:
- breach of contract
- breach of fiduciary duty
- breach of implied contract
- breach of third-party contract
- negligence
- negligence per se
- breach of confidence
- unjust enrichment
- breach of implied covenant of good faith and fair dealing
- invasion of privacy
- violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act
Consulting Radiologists filed a motion to dismiss the case, and it was partially successful; however, the court failed to dismiss the claims of negligence, negligence per se, unjust enrichment, injunctive/declaratory relief, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act. Following mediation and ongoing negotiations, the parties agreed on a settlement and concluded litigation, without admission of liability or wrongdoing. Consulting Radiologists has decided to pay $2,200,000 to cover lawyers’ fees and expenses, settlement administration and notification expenses, 19 class representatives’ service awards, and class members’ benefits.
Class members may claim up to three benefits based on the settlement as follows:
- A claim may be submitted for reimbursement of documented, unreimbursed expenses due to the data breach up to $5,000 per class member.
- A claim for Single-bureau credit monitoring services for two years
- A claim for cash payment, the amount of which depends on the types of breached data, and are likely to be $125 for individuals who had their Social Security numbers involved, and $50 for all other class members. The cash payments are subject to a pro rata with a cap of under $2,200,000.
The deadline to file for objection to and exclusion from the settlement is January 30, 2026. Claims must be filed on or before March 2, 2026. The court scheduled the final fairness hearing on February 25, 2026. Watch for additional announcement on the settlement website: https://www.crdatasettlement.com/