Centrelake Medical Group settles 2019 ransomware class action suit

The California imaging and oncology provider will resolve litigation tied to a breach affecting nearly 200,000 patients.

What happened

Centrelake Medical Group, which operates eight medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a February 2019 ransomware attack that affected 197,661 individuals. According to the organization’s breach notification filed with the California Attorney General, unauthorized actors had access to Centrelake’s servers between January 9 and February 19, 2019, and may have obtained patient information including names, addresses, phone numbers, Social Security numbers, health insurance details, diagnoses, dates of service, medical record numbers, referring provider information, and driver’s license numbers. The notification stated, “Centrelake Medical Group recently discovered that it was the victim of a ransomware attack,” and confirmed that the investigation determined unauthorized access to its systems during that period.

Going deeper

The lawsuit April Kay Moore, et al. v. Centrelake Medical Group, Inc. was filed in the Superior Court of California, Los Angeles County, where patients alleged the healthcare provider failed to protect medical information and violated state privacy and consumer protection laws, including California Civil Code Section 56, which governs medical confidentiality, and Business and Professions Code Section 17200, which addresses unfair business practices. Centrelake denied wrongdoing but agreed to settle to avoid prolonged litigation, with proposed terms including $525,000 for attorneys’ fees and expenses, $2,500 payments to each class representative, and coverage of notice and administrative costs. A final fairness hearing is scheduled for July 14, 2026, and the claims deadline is June 12, 2026.

What was said

In the settlement agreement, Centrelake stated it “denies each and all the claims and contentions alleged against it in the Litigation” and “denies all charges of wrongdoing or liability,” while agreeing to settle because “further conduct of the Litigation would be protracted and expensive” and it was “desirable that the Litigation be fully and finally settled.” The document confirms the underlying incident, noting that Centrelake “was the victim of a criminal cyberattack” in which attackers accessed certain servers and installed a virus that prevented access to stored information. The agreement also states that the settlement “compromises claims that are contested and shall not be deemed an admission” of liability, while acknowledging that security enhancements were implemented after the attack.

The big picture

The Centrelake Medical Group shows the long-term legal and financial “cascade of consequences” that can follow a healthcare breach. Unauthorized actors accessed the provider’s systems for more than a month before the ransomware was detected, exposing what researchers describe as an industry-wide “visibility gap.” According to the report What small healthcare practices get wrong about HIPAA and email security, healthcare organizations take an average of 224 days to detect and 84 days to contain a breach. Ransomware attacks against healthcare have also surged by 264% since 2018. A second report, the 2025 mid-year email breach data reveals there’s no slowing down, found that the average cost of a healthcare breach has reached $11 million, the highest of any industry for 14 consecutive years. Rick Kuwahara, Chief Compliance Officer at Paubox, said many organizations operate under a “false sense of security” and only recognize their “security gaps after a serious incident occurs.”

FAQs

Why do ransomware incidents often lead to class action lawsuits?

Ransomware attacks can expose both medical and financial identifiers, which creates potential claims for negligence, breach of contract, and violations of state privacy statutes, even when misuse of data is not conclusively proven.

How do California privacy laws affect healthcare breach litigation?

California law includes specific protections for medical information and broad consumer protection statutes, allowing plaintiffs to assert claims beyond federal HIPAA enforcement mechanisms.

What does a final fairness hearing determine?

A fairness hearing allows a court to evaluate whether the settlement terms are reasonable and adequate for the class before granting final approval.

Are monitoring services typical in healthcare settlements?

Credit and identity monitoring services are commonly offered as part of healthcare data breach settlements, particularly when Social Security numbers or financial identifiers are involved.

Does settling a class action mean the organization admitted fault?

Settlements typically resolve claims without an admission of liability, allowing organizations to limit litigation risk and cost while compensating affected individuals under agreed terms.