East Carolina Health Pays $250,000 to Resolve Data Leak Lawsuit

July 13, 2025HIPAA News0

The settlement of a class action lawsuit against East Carolina Health (EC Health) has been accepted. The lawsuit is associated with a data breach in 2023 that impacted 19,085 individuals.

The data breach that occurred at the Brody School of Medicine of East Carolina University was discovered on or about December 21, 2023. The breach resulted in making electronic files that contain patients’ protected health information (PHI) inadvertently available to ECU workers, students, and some physicians employed by ECU Health without requiring access from July 2022 to January 2024. The files included names, medical insurance data, and diagnostic and/or clinical details. The impacted individuals received breach notification on February 20, 2024.

On April 12, 2024, the Kaitlyn Hill. v. East Carolina Health lawsuit was filed in the Superior Court of North Carolina, Pitt County. The lawsuit claimed an impermissible PHI disclosure, which violates the Health Insurance Portability and Accountability Act (HIPAA). In HIPAA, there is no private cause of action; hence, the lawsuit was not connected to HIPAA violations. The defendant is facing charges on legal violations predicated on its responsibilities under HIPAA.

According to the lawsuit, EC Health ignored the legal rights of the plaintiff and class members by not implementing acceptable and proper steps to secure protected health information (PHI). That negligence resulted in the harm of the plaintiff and class members, reduction of their PHI value, a greater risk of fraud and identity theft, and lost time, annoyance, disturbance, and difficulty. Besides negligence, the lawsuit claimed breach of implied covenant of good faith and fair dealing, breach of implied contract, unjust enrichment, breach of the North Carolina Unfair Trade Practices Act, and the North Carolina Identity Theft Protection Act.

EC Health challenges the lawsuit claims and rejects any wrongdoing; nevertheless, it consented to pay a $250,000 settlement to end the litigation and avoid additional legal expenses as well as the risks and uncertainty linked to ongoing litigation. The settlement fund will pay for the legal costs and expenses, attorneys’ fees, settlement management costs, and service awards. Attorneys’ fees will likely be $83,325, while the named plaintiff’s service award will be $2,500.

Class members have two options to claim payment: A $100 compensation for documented out-of-pocket expenditures associated with the data breach or a $100 flat cash payment, which could be adjusted pro rata according to the number of filed claims.

The court has given preliminary approval of the settlement. The last day for exclusion from or objection to the settlement is August 18, 2025. Claims should be submitted on or before September 1, 2025, and the schedule of the final fairness hearing is September 15, 2025.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.