Consulting Radiologists Resolves Class Action Data Breach Litigation for $2.2M

Radiology practice, Consulting Radiologists Ltd., decided to negotiate a class action data breach litigation. The company offers medical imaging services to over 100 healthcare centers in Minnesota and the nearby areas.

Consulting Radiologists submitted the data breach report to the HHS’ Office for Civil Rights on June 14, 2024, stating that around 583,824 individuals’ protected health information (PHI) were affected. It discovered the network attack on February 12, 2024. The investigation revealed that an unauthorized third party viewed the system and likely acquired patient information, including names, birth dates, addresses, health data, medical insurance details, and the Social Security numbers of 19,346 persons.

In April 2024, Consulting Radiologists reported the data breach and sent notification letters to the affected persons. Soon after that, a class action lawsuit was filed then another 18 cases. District Court Judge Thomas Conley announced an order to combine all cases faced by Consulting Radiologists. On November 1, 2024, the combined lawsuit was submitted in the District Court of the 4th Judicial District Court of Hennepin County, Minnesota.

In re Consulting Radiologists Data Incident Lawsuit claimed the data breach was the consequence of negligence and may have been averted if valid and proper cybersecurity actions were put in place and maintained. The legal action claimed that Consulting Radiologists had breached the HIPAA Regulations, which include the HIPAA Security Rule, by not appropriately protecting patient data and the HIPAA Breach Notification Law because of the late issuance of breach notifications to the impacted people.

The lawsuit declared claims of breach of third-party contract, breach of contract, breach of implied contract, negligence, negligence per se, unjust enrichment, breach of fiduciary duty, breach of implied covenant of good faith and fair dealing, breach of confidence, violation of privacy/intrusion upon seclusion, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act.

Consulting Radiologists was successful in partially having the lawsuit dismissed. However, the court failed to dismiss the claims of negligence, negligence per se, unjust enrichment, injunctive/declaratory relief, and violations of the Minnesota Health Records Act, and Minnesota Consumer Fraud Act. After ongoing talks, the parties decided on a settlement and finished lawsuit, with no admitting liability or wrongdoing. Consulting Radiologists has consented to pay $2,200,000 for attorneys’ fees and expenditures, settlement management and notification fees, class members’ benefits, and 19 class representatives’ service awards.

Based on the settlement, class members could claim up to three of these benefits:

• A claim may be submitted for reimbursement of recorded, unreimbursed costs as a result of the data breach up to $5,000 each class member.
• A claim for cash payment, the amount of which depends on the types of breached information, and are estimated to be $125 for persons who had their Social Security numbers affected, and $50 for all other class members. The cash payments are adjusted pro rata with a limit of below $2,200,000.
• A claim for Single-bureau credit monitoring services for two years

The last day to submit for objection to and exemption from the settlement is January 30, 2026. Claims must be filed until March 2, 2026. The court booked the final fairness hearing on February 25, 2026. Read about settlement updates on https://www.crdatasettlement.com/