HIPAA-covered entity Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon decided to resolve a class action lawsuit resulting from a data breach in October 2023. Employee email accounts were accessed by an unauthorized third party from October 2, 2023 to October 3, 2023. Although the healthcare provider detected the unauthorized access and addressed the issue immediately, the hackers accessed sensitive information, including names, phone numbers, addresses, email addresses, birth dates, state ID numbers/driver’s license numbers, Social Security numbers, digital signatures, financial data, medical data, and medical insurance details.
On December 1, 2023, the Neuromusculoskeletal Center of The Cascades mailed notification letters to the impacted individuals. It also notified the Oregon Attorney General about the breach, with 22,796 individuals affected. The breach report sent to the HHS Office for Civil Rights stated that the protected health information (PHI) of 19,373 individuals was likely exposed in the attack.
Plaintiff Krysta Hakkila filed a class action lawsuit as an individual and on behalf of likewise situated people. Plaintiff Ida Vetterwhich filed a second lawsuit later. Because of similarities in the two lawsuits, a combined class action lawsuit, Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC, was filed in the Circuit Court of Deschutes County, Oregon.
The lawsuit stated that the Neuromusculoskeletal Center of The Cascades did not employ proper security procedures, which could have helped to avoid the data breach. Claims mentioned in the lawsuit include unjust enrichment, negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, and Oregon Unlawful Trade Practices Act violation. Neuromusculoskeletal Center of The Cascades does not concur with the claims and states it has no wrongdoing or liability.
The defendants decided to settle with the plaintiffs, but without admitting wrongdoing or liability, to steer clear of the cost and problems of a trial. The court already gave preliminary approval of the settlement. According tot the terms of the settlement, class members could claim a two-year medical data monitoring services through CyEx Medical Shield Total, reimburse documented out-of-pocket losses as a result of the data breach up to $500 for each class member, get compensation for documented lost time spent on dealing with the effects of the data breach (around four hours at $25 per hour), and reimburse losses up to $2,500 per class member due to identity theft and fraud. Class members who do not want to submit a claim for the above-mentioned benefits may claim an alternative $80 one-time cash payment.
The last day to file a claim is December 26, 2025. The scheduled final approval hearing is on January 9, 2026. Those who want to object to or exempt themselves from the settlement can do so until November 25, 2025.
Image credit: Harsha, AdobeStock
