A major healthcare data breach settlement has been reached following the July 2023 cyberattack that compromised approximately 11 million patient records across HCA Healthcare facilities.

The class action settlement addresses one of the largest hospital cyberattack incidents in recent years, affecting current HCA patients throughout 20 states who trusted their medical information to the healthcare giant.

With the claim deadline coming soon, millions of patients with personal information exposed on the dark web now have a clear path to receive benefits and other compensation.

What Happened During the HCA Healthcare Cyberattack

In July 2023, cybercriminals accessed the HCA network and stole patient information from an external storage location used exclusively for email formatting. 

This breach wasn't minor—hackers obtained 27 rows of data that quickly appeared on dark web forums, creating immediate identity theft and fraud risks.

Type of data stolen 

The compromised patient data included:

• Full names and contact details (addresses, email addresses, phone numbers).
• Dates of birth and gender information.
• Patient service dates and appointment locations.
• Next scheduled appointment details.

While HCA confirmed that clinical information, payment data, and social security numbers weren't part of the breach, the exposed information still poses significant risks.

Questionable company response

The lawsuit reveals troubling details about how HCA responded to the incident.

Hackers demanded ransom with a July 10 deadline, and when HCA failed to reply, the entire database became available for sale on criminal forums. 

This inaction suggests the company was negligent in preventing the full data dump, an allegation that would later fuel multiple lawsuits claiming negligence in protecting patient data security.

How 27 Lawsuits Became One Settlement

Following the data breach announcement, 27 different plaintiffs filed class action lawsuits against HCA Healthcare across multiple jurisdictions.

The cases were eventually consolidated in the United States District Court for the Middle District of Tennessee, streamlining the litigation process for all parties. 

Specific claims

Plaintiffs alleged the company:

• Failed to implement adequate security measures despite knowing healthcare industry risks.
• Violated HIPAA requirements for safeguarding protected health information.
• Neglected to encrypt sensitive patient data
• Delayed notifying affected patients about the breach

Data breach attorneys representing the plaintiffs also argued that HCA's inadequate data security practices directly enabled the cyberattack, and HCA failed to meet even basic industry standards for protecting medical information.

Defendants and Plaintiffs Sound Off 

HCA Healthcare maintains its stance of no wrongdoing in the settlement agreement. 

Defendant’s response 

Responding to the breach, the defendants stated, "HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence   advisors." And, "The company has also not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident."

Class plaintiffs react

However, the plaintiffs in this case have painted a starkly different picture in court filings. 

According to the consolidated complaint, one plaintiff testified, "Since the data breach, I noticed a marked spike in spam texts and phishing phone calls." Another reported discovering his information for sale on dark web forums.

Attorneys weigh in

The plaintiffs’ lawyers argued that while HCA focused on “technical responses and compliance measures,” the company never attempted to pay the ransom demand, causing “anxiety, financial losses, and ongoing identity theft concerns” among patients. 

Furthermore, the settlement, though providing some relief, cannot undo the exposure of 11 million patients’ personal information “now permanently circulating in criminal networks,“ according to class attorneys.

Who Qualifies for Settlement Benefits

The settlement class includes all current HCA patients residing in the United States whose personal information was compromised in the July 10, 2023 data incident. 

Participants must also meet the following criteria:

• Be a current HCA patient (not a former patient).
• Reside in the United States.
• Have your personal information included in the compromised data.

The settlement excludes HCA's officers, directors, immediate families, and any judicial staff overseeing the case.

HCA Cyberattack Settlement Benefits

The data breach compensation structure provides two distinct benefit categories that class members may claim simultaneously:

Credit Monitoring and Insurance Services (CMIS)

Every eligible patient can receive one year of comprehensive identity protection, including:

• One-bureau credit monitoring with real-time alerts.
• Up to $1 million in identity theft insurance coverage.
• Professional fraud consultation services.
• Full identity theft restoration support.
• Flexible enrollment, allowing 12-month deferral if you already have coverage.

Documented Loss Payment

Patients who experienced financial harm may also seek reimbursement up to $5,000 by providing reasonable documentation, such as:

• Bank statements showing unauthorized charges.
• Receipts for identity protection services purchased after the breach.
• Documentation of time spent addressing fraud (at specified hourly rates).
• Costs for credit freezes or monitoring services
• Expenses related to replacing compromised accounts.

The settlement administrator will review all documented loss claims individually, and personal declarations alone won't suffice—you'll need concrete evidence linking expenses to the data breach.

How to File Your Claim

Claim filing for the settlement is a straightforward process. 

Online submission

1. Visit HCAHealthcareSettlement.com.
2. Enter your unique class member ID from the notice.
3. Select your desired benefits (CMIS, documented losses, or both).
4. Upload supporting documentation for loss claims.
5. Review and submit before September 25, 2025

Mail-in option 

Alternatively, class members can download a claim form and mail it to: 

In re HCA Healthcare, Inc., Data Security Litigation

c/o Kroll Settlement Administration LLC

P.O. Box 225391

New York, NY 10150-5391

PRO TIP: Keep copies of everything you submit. The settlement administrator may request additional documentation, and you'll have one opportunity to cure any deficiencies in your claim.

Important Dates and Deadlines

Mark these critical dates on your calendar:

• September 25, 2025: Claim submission deadline (must be postmarked by this date).
• August 25, 2025: Deadline to opt out of the settlement.
• August 25, 2025: Deadline to object to settlement terms.
• October 27, 2025: Final approval hearing at 9:30 a.m. CT.
• Post-approval: Benefits distributed after resolving all appeals.

The final approval hearing will occur at the U.S. Courthouse in Nashville, Tennessee. While attendance isn't required, class members who properly object may speak about their concerns.

If the court grants final approval and no member files an appeal, benefits could begin within 90 days. Credit monitoring enrollment instructions will also arrive approximately 30 days after final approval.

What This Means for Patient Privacy Going Forward

This landmark settlement demonstrates how patient advocacy through class action litigation can drive meaningful change in healthcare data protection.

When 11 million patients unite through legal action, even massive healthcare corporations must respond to security failures.

As healthcare increasingly digitizes, from electronic health records to telehealth platforms, the attack surface for cybercriminals expands.

The HCA Healthcare data breach settlement may encourage other healthcare systems to strengthen their cyber defenses proactively rather than risk similar litigation.