Columbus Regional Healthcare settles data breach lawsuit for $1.175 million

Columbus Regional Healthcare has agreed to a $1,175,000 settlement to resolve litigation arising from a data breach that occurred in May 2023. The breach, detected on May 21, 2023, was found to have compromised portions of the healthcare provider’s network between May 19, 2023, and May 21, 2024. The exposed systems contained sensitive personal and protected health information of 132,887 individuals.

A forensic investigation confirmed that the compromised data included names, addresses, birth dates, Social Security numbers, driver’s license details, passport numbers, financial account information, medical histories, and health insurance information. The review process concluded on December 28, 2023, and affected individuals were notified in January 2024. Those whose Social Security numbers were exposed were offered complimentary credit monitoring services.

In response to the breach, multiple lawsuits were filed and later consolidated into a single case, In Re: Columbus Regional Healthcare System, in Columbus County, North Carolina. The lawsuit was subsequently transferred to the Business Court in Columbus County. The plaintiffs alleged that Columbus Regional Healthcare was negligent in failing to implement adequate security measures to protect stored sensitive data. They contended that proper safeguards could have prevented the breach. Additional claims included breach of implied contract, negligence per se, breach of fiduciary duty, intrusion upon seclusion/invasion of privacy, and unjust enrichment.

Before engaging in extensive legal proceedings, both parties agreed to mediation to mitigate litigation costs and uncertainties. Columbus Regional Healthcare denied all allegations of wrongdoing but opted for a settlement to avoid further legal expenses and risks.

As part of the settlement, a fund of $1,175,000 will be established to cover notice and administration expenses, attorneys’ fees, and class member compensation. Attorneys’ fees are expected to constitute 35% of the settlement fund. Eligible class members may submit claims for reimbursement of up to $5,000 for documented, unreimbursed financial losses resulting from the data breach. Additionally, affected individuals will receive a pro rata cash fund payment estimated at $50, though this amount may vary based on the number of valid claims submitted.

The settlement has received preliminary court approval, with a final approval hearing scheduled for April 9, 2025. Affected individuals have until April 2, 2025, to submit their claims.