A Delaware medical center has agreed to resolve legal claims after nearly half a million patients were affected by a ransomware-related data breach.
Bayhealth Medical Center in Dover, Delaware, has agreed to settle a proposed class action lawsuit linked to a July 2024 ransomware attack. The incident was detected on July 31, after suspicious activity was discovered in its computer network. Investigators determined that attackers had access between July 27 and July 31, during which time they exfiltrated files containing sensitive patient data.
The breach was reported to the U.S. Department of Health and Human Services on October 14, 2024, and involved the electronic protected health information (ePHI) of 497,047 individuals. The data stolen included names, medical information, and Social Security numbers. The Rhysida ransomware group claimed responsibility and posted samples of the data on a dark web leak site.
Rhysida operates as a ransomware-as-a-service operation, using double extortion tactics to pressure victims into paying a ransom. In this case, Rhysida demanded 25 Bitcoin, about $1.4 million at the time, and threatened to auction the stolen data if payment wasn’t received by August 14, 2024.
Bayhealth responded by notifying patients quickly. A Facebook notice was posted on August 3, and the CEO confirmed the breach and Rhysida’s claims on August 7. Shortly afterward, a patient named Sally Cannon Dunlop discovered her data had been exposed on the dark web. She filed a lawsuit on behalf of affected individuals, alleging a failure to follow HIPAA and FTC data protection standards.
The lawsuit accused Bayhealth of negligence, breach of implied contract, and other claims, and sought various forms of damages. Although Bayhealth denied wrongdoing, the parties reached a mediated settlement. Terms are currently being finalized and are expected to receive preliminary court approval in October.
Bayhealth acknowledged the breach in public statements but did not admit liability. Dunlop’s complaint argued that the incident was part of a larger pattern of insufficient cybersecurity controls and regulatory non-compliance. While Rhysida’s ransom demand was not met, the group did release sample patient data online to increase pressure.
Legal representatives for both sides confirmed that a settlement had been reached following mediation, but declined to comment further until the agreement is formally approved.
The Bayhealth settlement shows how ransomware has become one of the biggest financial and security threats in healthcare. Data from the Paubox 2025 Healthcare Email Security Report shows a 264% rise in ransomware attacks on healthcare organizations since 2018. The costs keep climbing, too. The average healthcare breach now reaches $9.8 million, and has already hit $11 million in the first half of 2025.
Double extortion refers to a tactic where hackers not only encrypt a victim’s data but also steal it, threatening to publish or sell it if the ransom isn’t paid.
These are cybercriminal groups that provide ransomware tools and infrastructure to affiliates, enabling widespread attacks in exchange for a share of the ransom proceeds.
Once a court gives preliminary approval, a notice is sent to affected individuals, and a formal hearing is scheduled to determine final approval of the settlement terms.
Settling allows the organization to avoid prolonged litigation, legal expenses, and further reputational damage, even if it denies legal liability.