General Physician, P.C. agrees to $2.5 million settlement over 2024 data breach affecting patient records

General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit stemming from a 2024 data breach that exposed sensitive patient information after unauthorized access to the organization’s email system.

Suspicious activity within the group’s email environment was identified on June 12, 2024. A subsequent forensic investigation confirmed that an unauthorized third party had access to the system between April 6, 2024, and June 12, 2024.

The compromised data included a wide range of personal and medical information, including full names, addresses, Social Security numbers, financial account details, dates of birth, medical histories, mental and physical treatment information, diagnoses, treating physician names, medical record numbers, and health insurance information.

The breach was initially reported to the U.S. Department of Health and Human Services Office for Civil Rights with a placeholder estimate of 501 affected individuals. Further investigation later determined that the protected health information of 167,387 people had been exposed.

Multiple lawsuits followed the disclosure of the breach and were consolidated into a single case, Newhart v. General Physician, P.C., filed in the Supreme Court of the State of New York, County of Erie. Plaintiffs alleged the medical group failed to implement reasonable cybersecurity protections necessary to safeguard sensitive patient data.

General Physician has denied any wrongdoing and maintains that it bears no liability in connection with the incident. Despite disputing the claims, the parties pursued an early resolution through mediation and reached an agreement on settlement terms.

The proposed settlement has received preliminary approval from the court. A final fairness hearing is scheduled for June 4, 2025.

Under the agreement, a $2.5 million settlement fund will be established to compensate eligible class members after deductions for attorneys’ fees, litigation expenses, administrative costs, and service awards for the class representatives.

Although federal breach reporting indicates that up to 167,387 individuals had protected health information compromised, the settlement class includes approximately 490,210 individuals whose information may have been affected.

Eligible class members may enroll in a two-year membership providing single-bureau credit monitoring and medical data monitoring services. They may also submit claims for financial compensation. One option allows reimbursement for documented, unreimbursed losses linked to the breach of up to $5,000 per person. Alternatively, individuals may elect to receive a pro rata cash payment from the settlement fund.

The amount of the pro rata payment will depend on the total number of approved claims. Based on projected participation rates, payments are expected to average about $60 per claimant.

Class members must submit claims by May 27, 2026. The deadline to object to the settlement or opt out of the class is April 27, 2026.