MedQ Settles Class Action Lawsuit Over Ransomware Attack

November 16, 2025HIPAA News0

HIPAA-covered company, MedQ Inc. is a vendor of administrative services to the healthcare industry. Due to a ransomware attack in December 2023 that affected 54,725 people, the company has decided to negotiate class action litigation associated with this incident.

A ransomware group gained access to its system and downloaded ransomware on or about December 26, 2023. The investigation affirmed the unauthorized access to its system since December 20, 2023, and the theft of information from its system. The stolen information included names, birth dates, medical data, medical insurance data, driver’s license numbers, and Social Security numbers. Free credit monitoring services were provided; however, that wasn’t enough to stop some class action lawsuits.

In response to the data breach, plaintiffs Shelby D. Franklin, Sharon Klepper, Cheri Ramey, Debra Everett, and Jana Harrison filed five lawsuits individually and representing likewise situated persons. The lawsuits had similar allegations and were combined into one action on May 13, 2024. The Klepper, et al. v. MedQ, Inc. lawsuit was filed in the District Court of Oklahoma County, Oklahoma.

MedQ rejects all allegations in the lawsuit and claims to have done no wrong or liability. MedQ submitted a motion to dismiss, and during its briefing, all parties made the decision to look into early resolution of the lawsuit and planned mediation on December 20, 2024. After a second attempt at negotiation on April 25, 2025, all parties reached an agreement on the terms of settlement. The court also gave preliminary approval of the settlement.

The settlement offers class members three-bureau credit monitoring services for two years, including monitoring of the dark web, public records, healthcare identity, and identity theft insurance coverage. Furthermore, class members may decide to submit a claim for refund of documented, unreimbursed losses because of the data breach up to $5,000 per class member, and also a cash payment of around $90 as payment for lost time (approximately 3 hours worth $30 per hour) on duties associated with the data breach, for example altering passwords, checking out accounts, and studying the data breach. Otherwise, class members could opt for a one-time $50 cash payment.

The last day to file an objection to or an exemption from the settlement agreement is December 1, 2025. Claims must be submitted on or before December 15, 2025. The schedule of the final fairness hearing is December 18, 2025.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.