Under the Federal HIPAA law, there is no private right of action. Meaning, a patient cannot directly sue a medical provider for a HIPAA violation. However, most state privacy laws do permit class action lawsuits.
While a federal HIPAA violation itself doesn’t open the organization to class-action lawsuits by patients, a breach or non-compliance often triggers state law (consumer law) class actions, regulatory enforcement, and substantial financial risk and reputational damage.
For example, Florida law fills the “no private HIPAA lawsuit” gap
While HIPAA itself doesn’t permit a private right of action, Florida’s own privacy and consumer protection laws allow individuals to sue when their medical or personal information is mishandled. Common bases for class actions include:
Examples of HIPAA style class actions
Akumin Operating Corp. (Florida-based outpatient radiology/oncology provider)
2023 breach; class action consolidated 2024-25. Ransomware attack, $1.5 million settlement.
Gastroenterology Associates of Central Florida, P.A. (d/b/a Center for Digestive Health / Center for Digestive Endoscopy)
Discovered April 11, 2024; class action filed 2025. Network intrusion, settlement has been determined but not released.
HCA Healthcare, Inc. data breach (July 2023)
HCA Healthcare agreed to a multi-million-dollar settlement after a breach of data affecting some 11.27 million patients across 20 states. Settlement between $9-10M.
Tampa General Hospital (2023)
Subject to class-action claims after a data breach impacted over 1.2 million patients. Allegations included failure to use reasonable cybersecurity measures and delay in notification, invoking both FIPA and FDUTPA. Settlement $6.8M.
Lakeland Regional Health (2022)
Data breach leads to litigation under FIPA and negligence, settlement $4M.
UF Health Central Florida (2021)
Data breach leads to litigation under FIPA and negligence.
Anthem, Inc. breach (2015)
Anthem reported a breach affecting tens of millions of individuals; in 2017 they settled class‐action litigation for $115 million.
Visionworks of America, Inc., a retail/optical chain, faces a proposed class action after a data breach affecting 40,000 customers.
Imagine a breach of your patient portal where PHI is exposed, then a class-action law firm sues you for negligent safeguarding of data. All the while the OCR fines you for the breach. We help you avoid both scenarios.
At Aris Medical Solutions, our HIPAA Keeper™ system highlights that strong vendor management, business associate agreements (BAAs), cybersecurity controls, timely breach notification, record-access compliance (e.g., right of access) are critical to reduce the risk of class actions..
Don’t leave patient data exposed.
Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.
