Gryphon Healthcare agrees to $2.8 million settlement after 2024 data breach exposes data of nearly 400,000 patients

Gryphon Healthcare, a Houston-based provider of revenue cycle management and medical billing services to healthcare organizations, has agreed to a $2.8 million class action settlement following a 2024 cyberattack that exposed the protected health information of nearly 400,000 individuals, according to court filings tied to the case.

The incident stemmed from unauthorized access involving an external information technology service provider that supported billing operations. Gryphon Healthcare became aware of the intrusion in August 2024 and determined through an internal investigation that files may have been viewed or obtained. The affected data included names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment details, prescription information, medical record numbers, and health insurance data belonging to 393,358 patients.

Notification letters were sent to affected individuals beginning around Oct. 11, 2024. Shortly afterward, the first class action lawsuit was filed. Over the following weeks, additional complaints were brought, ultimately totaling nine lawsuits. These actions were consolidated into a single case, Morris et al. v. Gryphon Healthcare, LLC, in the District Court for Harris County, Texas.

The consolidated complaint alleged a broad range of claims, including negligence and negligence per se, breach of contract and implied contract, breach of fiduciary duty and confidence, invasion of privacy, unjust enrichment, bailment, failure to provide timely notice under applicable data breach laws, and violations of state consumer protection statutes. Plaintiffs argued that Gryphon Healthcare failed to implement reasonable cybersecurity safeguards and did not adequately monitor its systems for unauthorized access, allowing the intrusion to persist undetected.

Gryphon Healthcare denied wrongdoing, fault, and liability in connection with the cyberattack and data exposure. The company nonetheless agreed to settle the litigation, citing the cost, distraction, and uncertainty associated with continued legal proceedings and a potential trial.

Under the settlement terms, Gryphon Healthcare will establish a $2.8 million fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. The remaining funds will be distributed to eligible class members.

Individuals included in the settlement may choose between two compensation options. Class members can submit claims for reimbursement of documented, unreimbursed losses related to the data breach, up to $5,000 per person. Alternatively, they may opt for a flat cash payment estimated at $100, subject to adjustment based on the total number of valid claims submitted.

In addition to monetary compensation, all class members who file valid claims will receive two years of identity theft protection and medical data monitoring services. The coverage includes up to $1 million in identity theft insurance.

The deadline to object to the settlement or opt out of the class is March 17, 2026. Claims must be submitted by April 16, 2026. A final fairness hearing to determine whether the settlement will receive court approval is scheduled for Aug. 31, 2026.

The lawsuits also sought injunctive relief requiring Gryphon Healthcare to adopt enhanced data security measures. The settlement resolves the consolidated claims on a class-wide basis, subject to final approval by the court.