Comcast experienced a major cybersecurity incident in October 2023 that later became the basis for a class action settlement finalized in early 2026.
Attackers exploited a vulnerability in Comcast’s systems between October 16 and October 19, 2023, gaining unauthorized access to customer data. The breach affected approximately 31.6 million customers across the United States. Victims later received individual breach notifications from the company.
The compromised information included personally identifiable customer data, triggering concern from victims about identity theft and fraud risks, although detailed categories of exposed data were not fully specified in public court summaries. Plaintiffs in the class action lawsuit alleged that Comcast failed to implement and maintain adequate cybersecurity safeguards, arguing that weaknesses in its security controls allowed attackers to exploit the vulnerability and access sensitive customer records.
Comcast has consistently denied wrongdoing and did not admit liability as part of the settlement. Nevertheless, the company agreed to resolve the litigation by paying $117.5 million, one of the largest consumer data breach settlements tied to a telecommunications provider. The proposed settlement received preliminary court approval on January 16, 2026, and provides for both cash payments to eligible class members and identity protection services to help mitigate ongoing risks associated with potential misuse of exposed information.
According to the notification issued to the Main Attorney General, on October 10, 2023, Citrix issued a security bulletin warning customers about a severe flaw in its NetScaler products, later widely known as CitrixBleed (CVE-2023-4966), which allowed attackers to hijack authenticated user sessions and access systems without valid credentials. Court records and media reporting indicate that Comcast, which relied on Citrix software in its internal environment, did not fully implement the patch and mitigation guidance before attackers began exploiting the flaw.
Between October 16 and October 19, 2023, hackers gained unauthorized access to Comcast’s internal systems, allegedly using the unpatched vulnerability to extract customer data. Comcast detected suspicious activity later in October and launched an investigation, but did not confirm that customer information had likely been acquired until mid-November 2023. The company began notifying affected customers around December 18, 2023.
According to the settlement document, “Comcast later discovered that—during its delay in implementing the patch—unauthorized third parties hacked into its systems by exploiting Citrix Bleed. Specifically, between October 16 and October 19, 2023, unauthorized third parties gained access to Comcast’s internal systems and acquired some combination of usernames and passwords, names, contact information, last four digits of Social Security numbers, dates of birth and/or secret questions and answers (“PII”) for over 30 million former and current Comcast customers.
Peer-reviewed research in JMIR found that hacking-related breaches are the dominant cause of healthcare data exposures and are associated with high downstream costs, particularly when organizations must rapidly reconfigure systems after an incident. One large analysis reports that breach remediation efforts are linked to deterioration in timeliness of care and worse patient outcomes, as security overhauls, system changes, and emergency controls introduce delays and usability challenges for clinicians.
Even neighboring hospitals increase IT capital spending after high-profile breaches, reflecting sector-wide spillover effects and heightened compliance pressure. Against this evidence base, the Comcast case is instructive for healthcare because it highlights how third-party software vulnerabilities, delayed mitigation windows, and large settlement exposure can amplify legal liability and long-term risk.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Common claims include negligence, breach of fiduciary duty, breach of contract, invasion of privacy, and violations of state consumer protection statutes.
Courts assess numerosity, commonality, typicality, and adequacy of representation to determine whether class certification is appropriate.
Healthcare class actions can take several years from filing to final resolution due to discovery, motions, and court approval requirements.