Class Action Lawsuits Archives

Suze Shaffer May 20, 2026May 20, 2026

HIPAA itself does not provide individuals with a “private right of action,” meaning patients generally cannot sue a Covered Entity or Business Associate directly under HIPAA for a violation. Enforcement authority belongs to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which investigates complaints and may impose corrective actions, settlements, or civil monetary penalties.

Class Action vs HIPAA

However, while patients may not sue “under HIPAA,” class action lawsuits are becoming more prevalent following healthcare data breaches or privacy incidents. Plaintiffs’ attorneys often use alleged HIPAA failures as evidence of negligence, inadequate security practices, breach of fiduciary duty, or violations of state consumer protection and privacy laws. In many cases, lawsuits focus on claims such as emotional distress, identity theft risk, financial harm, or failure to properly safeguard sensitive information. As healthcare breaches continue to increase and state privacy laws expand, organizations are facing growing litigation exposure even when OCR does not issue a HIPAA fine.

Class Action Lawsuits

For example, American Multispecialty Group, which does business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Following the incident, Esse Health became the target of multiple class action lawsuits related to the breach. Those lawsuits were later consolidated, and the organization recently agreed to a $2,525,000 settlement to resolve the claims.

Other class action lawsuits include Ascension, BJC Healthcare, HCA Healthcare, Hypertension Nephology Associates, and Shields Heath Care Group that settled for $15,300,000.

These lawsuits commonly allege:

Failure to conduct an accurate and thorough risk analysis
Failure to implement reasonable security safeguards
Negligent cybersecurity practices
Delayed breach notification
Failure to properly monitor systems
Increased risk of identity theft and medical fraud

This trend demonstrates that even though HIPAA itself does not create a private right of action, plaintiffs are increasingly using state negligence laws, consumer protection laws, breach of implied contract claims, and privacy torts to pursue class action litigation after healthcare data breaches.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.

Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Suze Shaffer November 1, 2025November 8, 2025

Under the Federal HIPAA law, there is no private right of action. Meaning, a patient cannot directly sue a medical provider for a HIPAA violation. However, most state privacy laws do permit class action lawsuits.
While a federal HIPAA violation itself doesn’t open the organization to class-action lawsuits by patients, a breach or non-compliance often triggers state law (consumer law) class actions, regulatory enforcement, and substantial financial risk and reputational damage.

For example, Florida law fills the “no private HIPAA lawsuit” gap
While HIPAA itself doesn’t permit a private right of action, Florida’s own privacy and consumer protection laws allow individuals to sue when their medical or personal information is mishandled. Common bases for class actions include:

Examples of HIPAA style class actions

Akumin Operating Corp. (Florida-based outpatient radiology/oncology provider)
2023 breach; class action consolidated 2024-25. Ransomware attack, $1.5 million settlement.

Gastroenterology Associates of Central Florida, P.A. (d/b/a Center for Digestive Health / Center for Digestive Endoscopy)
Discovered April 11, 2024; class action filed 2025. Network intrusion, settlement has been determined but not released.

HCA Healthcare, Inc. data breach (July 2023)
HCA Healthcare agreed to a multi-million-dollar settlement after a breach of data affecting some 11.27 million patients across 20 states. Settlement between $9-10M.

Tampa General Hospital (2023)
Subject to class-action claims after a data breach impacted over 1.2 million patients. Allegations included failure to use reasonable cybersecurity measures and delay in notification, invoking both FIPA and FDUTPA. Settlement $6.8M.

Lakeland Regional Health (2022)
Data breach leads to litigation under FIPA and negligence, settlement $4M.

UF Health Central Florida (2021)
Data breach leads to litigation under FIPA and negligence.

Anthem, Inc. breach (2015)
Anthem reported a breach affecting tens of millions of individuals; in 2017 they settled class‐action litigation for $115 million.

Visionworks of America, Inc., a retail/optical chain, faces a proposed class action after a data breach affecting 40,000 customers.

Imagine a breach of your patient portal where PHI is exposed, then a class-action law firm sues you for negligent safeguarding of data. All the while the OCR fines you for the breach. We help you avoid both scenarios.

At Aris Medical Solutions, our HIPAA Keeper™ system highlights that strong vendor management, business associate agreements (BAAs), cybersecurity controls, timely breach notification, record-access compliance (e.g., right of access) are critical to reduce the risk of class actions..

Don’t leave patient data exposed.
Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

Tag: Class Action Lawsuits

Class Action Lawsuits and Healthcare Providers