Rural hospital, Memorial Hospital and Manor, based in Bainbridge, Georgia, consented to settle a class action lawsuit associated with a November 2024 ransomware attack and data breach . The ransomware attack was discovered on November 2, 2024, because its EMR system, email, and website were inaccessible. On November 3, 2024, the HIPAA-covered hospital informed patients about the attack via its Facebook account and sent notification letters to the affected persons on February 7, 2025. The breach report submitted to the HHS’ Office for Civil Rights indicated that the protected health information (PHI) of 120,085 individuals were affected. Breached data included names, dates of birth, medical treatment details, medical histories, health insurance data, and Social Security numbers.
On February 10, 2025, plaintiff Morgan Wade filed the first class action lawsuit in the District Court for the Middle District of Georgia, Albany Division. Other affected patients filed 9 more class action lawsuits. As the lawsuits had similar claims, the lawsuits were consolidated into a single litigation. The Smith et al. v. The Hospital Authority of the City of Bainbridge and Decatur County d/b/a Memorial Hospital and Manor litigation was registered in the State Court of Decatur County, Georgia. The consolidated class action lawsuit stated the following claims: negligence for not implementing reasonable and appropriate security measures to protect the confidentiality of patient information. Memorial Hospital and Manor does not admit any wrongdoing; nevertheless, all parties decided to resolve the lawsuit to avoid the expenses and risks of a trial and corresponding appeals.
As per the settlement agreement, the class includes around 105,000 current and former patients who were alerted regarding the data breach. Based on the terms of the settlement, class members may submit a claim for compensation of documented, unreimbursed expenses because of the data breach up to $5,000, and can claim about $100 as refund for lost time (up to 4 hours at $25 an hour). As an option to submitting a claim for compensation of expenditures and lost time, class members may opt to receive a $40 cash payment. Class members are additionally entitled to register in the CyEx Medical Shield Pro medical data monitoring service for one year. The service comes with a $1,000,000 medical identity theft insurance policy .
The settlement has acquired preliminary court approval. The final fairness hearing is scheduled on January 20, 2026. The last day to file a claim is January 5, 2026. Individuals wishing to object to or exclude themselves from the settlement can do so until December 22, 2025.
