Hillcrest Convalescent Center has received preliminary court approval for a proposed settlement that resolves consolidated class action litigation arising from a June 2024 cyberattack that involved the potential unauthorized access to patients’ personal and protected health information (PHI).
Inpatient rehabilitation and skilled nursing facility, Hillcrest Convalescent Center in Durham, North Carolina faced litigation over a June 2024 cyberattack on the organization’s computer systems. The incident involved potential unauthorized access to systems and theft of HIPAA-covered data belonging to affected individuals.
The breached information likely included names, addresses, financial account details, birth dates, driver’s license numbers, Social Security numbers, other government-issued ID numbers, medical treatment details, medical insurance information, and provider data. The center sent notification letters to more than 106,000 affected individuals in March 2025.
Multiple class action lawsuits were filed after the data incident. With the overlapping claims, the lawsuits were consolidated into a single case — In re Hillcrest Convalescent Center, Inc. Data Breach Litigation, Case No. 25CV002700-310. The litigation is pending in the Superior Court of Durham County, North Carolina.
Hillcrest denies the allegations and maintains that it did not commit wrongdoing. Hillcrest filed a motion to dismiss the consolidated complaint in September 2025. The plaintiffs submitted their response in October 2025, and Hillcrest later filed a reply supporting its motion to dismiss. The court has not determined liability or ruled in favor of either party.
Settlement discussions followed, and during mediation conducted in January 2026, the parties reached agreement on the material terms of a settlement to avoid the costs, risks, disruptions, and uncertainty associated with continued legal proceedings. The proposed settlement has since received preliminary approval from the court.
Eligible class members may reimburse documented out-of-pocket losses associated with the data incident. Reimbursement is available for documented losses up to a maximum of $2,500 per class member. Class members who do not reimburse documented losses may instead request an alternative cash payment, which is estimated to be $50 per claimant.
All eligible class members may also receive credit monitoring services for two years. Hillcrest also provides identity theft insurance with up to $1 million coverage during the monitoring period.
Individuals seeking settlement benefits must submit a valid claim by August 26, 2026. The settlement administrator accepts claims submitted online or by mail using the approved claim form.
Class members who wish to retain the ability to pursue separate legal claims related to the data incident must exclude themselves from the settlement by July 27, 2026. Individuals who remain in the settlement class and do not submit a claim will not receive settlement benefits or payments and will relinquish the right to bring separate legal claims covered by the settlement.
Class members who disagree with the proposed settlement may file an objection with the court by July 27, 2026. Individuals who submit objections may also request permission to speak during the Final Approval Hearing while remaining eligible to submit a claim for settlement benefits if they do not opt out.
The Final Approval Hearing is scheduled for August 24, 2026. The court will determine whether the proposed settlement should receive final approval.
Image credit: 1658445965 Aminograpix – Adobestock / logo©HillcrestConvalescentCenter
