Judge Gives First Nod to $1M Community First Medical Center Data Breach Settlement
A federal judge has given preliminary approval of a $1 million settlement to resolve a consolidated class action lawsuit against Community First Medical Center over a July 2023 data breach. An unauthorized third party accessed the network of the Chicago, IL, medical center on July 12, 2023, and viewed or acquired files containing the protected health information of approximately 216,000 patients, including names, contact information, Social Security numbers, and Medicare numbers.
Fifteen class action lawsuits were filed against Community First Medical Center over the data breach. As the lawsuits had overlapping claims, they were consolidated into a single action – Pacheco, et al. v. Community First Healthcare of Illinois, Inc. d/b/a Community First Medical Center – in the Circuit Court of Cook County, Illinois. The lawsuits alleged that Community First Healthcare of Illinois, doing business as Community First Medical Center, failed to implement reasonable and appropriate cybersecurity measures, resulting in a data breach, and engaged in deceptive business practices.
The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuit sought injunctive relief, declaratory relief, monetary damages, and all other relief as authorized in equity or by law. Community First Medical Center denies all claims of liability and wrongdoing; however, after considering the costs, time, burden, and distraction of continuing with the litigation and the risks associated with a trial, agreed to settle the lawsuit. The plaintiffs and class counsel believe a settlement is the best outcome considering the costs, time, and risks of continuing with the litigation, and that the negotiated settlement is fair.
Under the terms of the settlement, Community First Medical Center has agreed to establish a $1,000,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the fifteen class representatives, and one year of three-bureau credit and medical monitoring services for all class members. Class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Claimable losses include credit monitoring costs, credit report costs, bank fees, losses to identity theft and fraud, and other costs incurred after and in response to the data breach. Alternatively, if a claim for reimbursement of losses is not submitted, class members may claim a one-time cash payment, estimated to be approximately $40. The cash payments may increase or decrease based on the number of valid claims received, and will exhaust the settlement fund. The deadline for objection to and exclusion from the settlement is March 3, 2026. Claims must be submitted by April 2, 2026, and the final fairness hearing has been scheduled for March 25, 2026.
