Trinity Health Corporation, the Catholic Health System based in Livonia, Michigan, and co-defendants Valley Surgical Specialists Medical Group, Inc., Rame Deme Iberdemaj, and Daniel Evan Swartz, MD, have decided to resolve a class action lawsuit associated with a 2021 data breach prompted by its use of Accellion FTA, a file transfer platform.
On or about January 29, 2021, Accellion informed Trinity Health that threat actors exploited a zero-day vulnerability to access Accellion FTA. The health system used Accellion’s platform to send secure email messages. The unauthorized third party likely downloaded the files kept by Accellion FTA. The files included names, addresses, birth dates, medical record numbers, laboratory results, prescription drugs, claims data, credit card data, and Social Security numbers. Trinity Health sent 18,153 notification letters to 18,153 California residents, and offered them free credit monitoring, identity theft protection, and fraud resolution services for one year.
On May 20, 2021, the class action lawsuit, Jane Doe v. Trinity Health Corporation, was filed in the Fresno County Superior Court because of the data breach, seeking damages, injunctive relief, and restitution. The lawsuit claimed that HIPAA-compliant Trinity Health did not sufficiently protect patient information not implement data encryption on the Accellion FTA. The lawsuit also claimed violations of the California Security Notification Laws and the California Confidentiality of Medical Information Act. Furthermore, the defendants committed illegal and unfair business acts and procedures, violating Cal. Bus. & Prof. Code §§ 17200 et seq.
Trinity Health, along with the other defendants, does not admit any wrongdoing. Nevertheless, they opted to negotiate the lawsuit instead of spending more on going to court and dealing with the uncertainty of trial. The class lawyer and the class representative think the settlement is reasonable and is best for the class members.
Trinity Health has decided to create a $450,000 settlement fund, which will cover the attorneys’ fees (about $150,000), lawyers’ expenses (about $25,000), service awards (maximum $5,000), and settlement management expenses. The outstanding fund will be spent on the class members’ benefits. Class members can file a claim for a refund of documented out-of-pocket costs linked to the data breach and are also eligible for a one-time cash payment.
Claims for compensation of losses are limited to $1,000 for each class member. The expected cash payment amounts are as follows: $11 if all class members file a claim; $115 if 10% of class members file a claim, and $231 if 5% of class members file a claim. The last day for submitting a claim is January 19, 2026. The schedule of the final fairness hearing is April 29, 2026. Those who wish to object to or exclude themselves from the settlement can do so on or before December 19, 2025.