As first reported by TechTarget, the Massachusetts-based healthcare provider has agreed to pay $15.35 million to settle litigation stemming from a 2022 cyber attack that exposed sensitive data of approximately 2.3 million individuals.
Shields Health Care Group, which operates over 30 diagnostic and surgical facilities across New England, discovered the breach in late March 2022, but attackers had already accessed its systems for nearly two weeks, obtaining patient names, Social Security numbers, medical record numbers, and detailed health and billing information.
Source: linkedin.com/company/shields-health/.
The class action lawsuit consolidated multiple claims and alleged that Shields failed to notify affected individuals promptly and adequately after the breach. Plaintiffs accused the company of breaching fiduciary duty and violating consumer protection laws. While Shields denied wrongdoing, the settlement provides compensation of up to $2,500 per individual for out-of-pocket losses and up to $25,000 for extraordinary damages like identity theft, though Massachusetts residents are excluded from the class.
The settlement also highlights post-breach security improvements by Shields, though details remain confidential. The company has reportedly made significant investments in IT staff and cybersecurity infrastructure, committing to long-term enhancements. The agreement has been approved by a federal judge in Massachusetts and is now pending preliminary court approval before distribution of compensation begins.
