Rural hospital, Memorial Hospital and Manor, in Bainbridge, Georgia, consented to settle a class action litigation involving a ransomware attack and data breach in November 2024. The hospital noticed the cyberattack on November 2, 2024 after its EMR system, website, and email became unavailable. On November 3, 2024, Memorial Hospital and Manor notified patients about the attack through its Facebook account and the notification letters were sent to the impacted people on February 7, 2025 in compliance with HIPAA laws. The breach report sent to the HHS’ Office for Civil Rights indicated that the incident resulted in the compromise of the protected health information of 120,085 persons. Breached data included names, birth dates, medical procedure data, medical backgrounds, medical insurance details, and Social Security numbers.
Plaintiff Morgan Wade filed the first class action lawsuit on February 10, 2025 in the District Court for the Middle District of Georgia, Albany Division. Other affected individuals filed another 9 class action lawsuits. Because the lawsuits had identical claims, the lawsuits were combined into just one lawsuit. The Smith et al. v. The Hospital Authority of the City of Bainbridge and Decatur County d/b/a Memorial Hospital and Manor lawsuit was registered in the State Court of Decatur County, Georgia. The class action lawsuit mentioned multiple claims, including negligence for failure to implement acceptable and proper safety measures to secure the privacy of patient information. Memorial Hospital and Manor does not acknowledge any wrongdoing; nonetheless, all parties decided to resolve the litigation to steer clear of the fees and risks of a trial and associated appeals.
Based on the settlement agreement, the class comprises roughly 105,000 present and past patients who were advised regarding the data breach. The terms of the settlement allow class members to submit a claim for refund of documented, unreimbursed expenditures up to $5,000 as a result of the data breach, and can claim around $100 as compensation for lost time (maximum 4 hours at $25 hourly). As a substitute for filing a claim for refund of expenses and lost time, class members may decide to get a $40 cash payment. Class members are likewise eligible to sign up for the CyEx Medical Shield Pro medical data monitoring service for 12 months. The service features a medical identity theft insurance plan for $1M.
The settlement has gotten preliminary approval from the court. The final fairness hearing is set to January 20, 2026. The due date to file a claim is January 5, 2026. Individuals wanting to exclude from or object to the settlement should do so on or before December 22, 2025.