Staten Island University Hospital Agrees to Resolve Business Associate Data Breach Litigation

February 15, 2026HIPAA News Today0

Staten Island University Hospital has agreed to settle a class action lawsuit related to a January 2024 data breach at its business associate, The Medibase Group Inc., that affected 35,106 individuals.

Incident Overview

The data breach occurred in January 2024 at The Medibase Group Inc., a HIPAA-covered provider of healthcare solutions, technical assistance, and business office solutions that provided services to Staten Island University Hospital in New York. On or around May 8, 2024, The Medibase Group notified Staten Island University Hospital that an unauthorized third party had gained access to Medibase systems containing protected health information.

The compromised data included names, Social Security numbers, dates of birth, medical information, and health insurance information. Certain files may also have contained hospital admit and discharge dates and outstanding balances. Notification letters were mailed to affected individuals on July 5, 2024.

The settlement website describes the event as a targeted cyberattack on the computer systems of The Medibase Group Inc. The website states that Staten Island University Hospital’s computer systems were not impacted.

Litigation Details

A class action lawsuit was filed by Belle De Santiago and Elena Girenko against Staten Island University Hospital in the Superior Court of Cherokee County for the State of Georgia. The case is titled Belle De Santiago and Elena Girenko v. Staten Island University Hospital, Case No. 25CVE0998.

The lawsuit alleged that the data breach resulted from a failure to implement reasonable and appropriate security measures to protect sensitive patient data. The asserted claims include negligence or negligence per se, breach of implied contract, and unjust enrichment.

Staten Island University Hospital denies all claims of wrongdoing, fault, and liability. The settlement website states that the Court has not decided who is right.

Settlement Terms

The parties agreed to a settlement to avoid the costs, risks, disruptions, and uncertainties of going on with the litigation. Staten Island University Hospital agreed to the settlement to avoid interruption to its business operations as well.

Class members may submit a claim for two years of medical data monitoring services that include a $1 million identity theft insurance policy. Class members may also submit claims for payment of documented, unreimbursed out of pocket expenses due to the data breach up to $1,000 per class member. A claim may be submitted for a $35.00 flat cash payment.

The deadline for exclusion and opting out is March 2, 2026. The deadline for submitting a claim is March 16, 2026. A final fairness hearing is scheduled for March 31, 2026.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.