Alabama Cardiovascular Group, a heart and vascular clinic in Alabama, agreed to pay $2.23 million to settle a class action stemming from a July 2, 2024 cyberattack that allegedly exposed sensitive patient data. According to the lawsuit, hackers accessed information that can be especially valuable for identity theft and medical fraud—names, dates of birth, Social Security numbers, health insurance details, and medical information—and affected patients were notified that their data “may have been compromised.” Unlike many retail breaches that involve just payment cards, healthcare incidents often involve long-lived identifiers and clinical details that are difficult or impossible to change, which is why these cases tend to draw significant scrutiny from patients, regulators, and insurers. The suit (Brown, et al. v. Alabama Cardiology Group P.C. d/b/a Alabama Cardiovascular Group) was filed on the theory that the clinic failed to use reasonable cybersecurity measures to prevent the breach and failed to adequately protect confidential patient information; the company denies wrongdoing but chose to settle to resolve the claims. The settlement offers up to $5,000 for documented out-of-pocket losses (such as credit monitoring costs, bank fees, fraudulent charges, and identity-theft-related expenses) or a smaller pro rata cash payment for those without documented losses, plus two years of credit monitoring and $1 million in identity theft insurance—reflecting how breach settlements often try to compensate both measurable financial harm and the ongoing risk and time burden placed on patients. More broadly, this case fits a nationwide pattern of healthcare data-breach class actions where plaintiffs argue that providers and their vendors didn’t meet industry expectations for safeguards like access controls, monitoring, encryption, and timely incident response. While HIPAA and the HITECH Act set baseline privacy and security requirements and mandate breach notifications, they generally don’t create an automatic private right to sue—so many claims are brought under state consumer protection, negligence, breach of implied contract, or state medical privacy theories, with settlements frequently funding credit monitoring and limited reimbursement rather than admitting liability. Similar cases across hospitals, specialty practices, and billing vendors highlight a sector-wide challenge: healthcare organizations are high-value targets, often operate with complex legacy systems, and face growing pressure from regulators and the plaintiffs’ bar to treat cybersecurity as a core patient-safety obligation rather than just an IT function