$2.35 Million Settlement Resolves Cornerstone Specialty Hospitals Data Breach Class Action
Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals, agreed to pay $2,350,000 to resolve class action litigation related to a December 2023 cyberattack and data breach that potentially exposed patient information.
Cyberattack and Data Exposure
A threat actor gained access to the Cornerstone network on or around December 19, 2023 and may have accessed and copied patient data. Information potentially compromised in the incident included names, birth dates, Social Security numbers, passport numbers, federal or state ID numbers, financial account details, credit or debit card information, digital signatures, email addresses, usernames and passwords, health data, medical insurance details, and other protected health information (PHI).
Cornerstone initially reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights with a placeholder of about 501 affected persons. The total number of affected individuals was later updated to 484,957.
Class Action Litigation
The Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a Cornerstone Specialty Hospitals lawsuit was submitted in the Court of the Western District of Kentucky, Louisville Division. The lawsuit alleged that the data breach resulted from the defendant’s inability to implement appropriate safeguards for sensitive data stored on its network. The complaint also alleged delayed notification to affected individuals, with breach notifications mailed on or around July 1, 2024.
Claims in the lawsuit included negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and requests for declaratory relief.
Cornerstone denied the allegations and denied wrongdoing or liability. The company agreed to resolve the litigation through a settlement to avoid continued legal costs and the uncertainty of trial.
Settlement Terms
A settlement fund of $2,350,000 will be used to pay attorneys’ fees and expenses, service awards for class representatives, and settlement-related taxes and tax expenses. Remaining funds will be allocated for eligible class members’ benefits.
Individuals whose Social Security numbers were compromised may claim two years of three-bureau credit monitoring and identity theft protection services. Eligible individuals may also submit claims for reimbursement of documented extraordinary losses linked to the data breach up to $10,000 per person.
All class members may submit claims for reimbursement of documented ordinary losses associated with the incident. Reimbursement for ordinary losses is capped at $2,500 per individual.
Individuals who do not submit claims for ordinary or extraordinary losses may instead receive a pro rata cash payment from the remaining settlement fund. Settlement terms provide that individuals whose Social Security numbers were exposed will receive a payment equal to three times the amount paid to class members whose Social Security numbers were not compromised.
Eligibility And Deadlines
Settlement class members include individuals whose private information was compromised in the December 2023 data breach and who received notification from Cornerstone regarding the incident. Approximately 483,000 individuals are included in the settlement class. A subclass of approximately 74,959 individuals includes those whose Social Security numbers were potentially compromised.
The deadline to object to the settlement or request exclusion is April 8, 2026. The deadline to submit a claim is May 8, 2026. A final approval hearing is scheduled for May 14, 2026. Compensation to class members will be distributed after final court approval and resolution of any appeals.