Consulting Radiologists agrees to $2.2M settlement after data breach

The Minnesota radiology group is resolving litigation tied to a 2024 network intrusion affecting hundreds of thousands of patients.

What happened

Consulting Radiologists Ltd., a physician-owned radiology practice serving more than one hundred healthcare facilities in Minnesota and nearby states, has reached a $2.2 million settlement to resolve class action litigation following a 2024 data breach. Court records show the incident involved unauthorized access to the organization’s network, with patient information potentially exposed, including medical and insurance data and Social Security numbers for a subset of affected individuals. Multiple lawsuits were filed and later consolidated in Hennepin County District Court after the breach was disclosed to patients and regulators.

Going deeper

The intrusion was identified in February 2024, and the breach was later reported to federal regulators as affecting more than 500,000 individuals. Plaintiffs alleged the organization failed to implement reasonable safeguards and delayed notification after confirming unauthorized access. While the court dismissed some claims, several causes of action were allowed to proceed, including negligence and violations of Minnesota consumer and health records laws. The parties ultimately entered mediation and agreed to resolve the dispute without admitting wrongdoing, citing the cost, uncertainty, and duration of continued litigation.

In the know

According to Databreaches.net, public notifications did not identify the attackers or confirm whether a ransom was demanded, but two ransomware groups later claimed involvement. LockBit 3.0 listed Consulting Radiologists on its leak site in April 2024 and posted what it said was proof of access before updating the entry in May. Around the same time, the Qilin ransomware group also claimed responsibility and shared its own proof. Neither group ultimately released patient data, and the LockBit listing was later removed. Consulting Radiologists’ breach notice did not address whether systems were encrypted or whether negotiations occurred, leaving several aspects of the incident unresolved.

What was said

Consulting Radiologists denied liability and stated in court filings that it maintains security measures intended to protect patient information. Plaintiffs argued that stronger controls and earlier detection could have limited exposure. The settlement was presented to the court as a way to provide relief to affected individuals while avoiding further legal proceedings. A final fairness hearing has been scheduled, and class members have been notified of their options under the agreement.

The big picture

According to the American Hospital Association’s 2025 cybersecurity review, more than 80% of stolen health records in recent years were taken from vendors, business associates, and non-hospital systems rather than directly from hospitals, and over 90% of compromised data was accessed outside core electronic health record platforms. The Change Healthcare ransomware attack, which ultimately affected about 193 million people, reinforced how gaps in data mapping and third-party oversight can amplify the scale and legal fallout of a single intrusion. As providers rely on external partners for imaging, billing, and clinical services, courts and regulators continue to scrutinize how well organizations understand where patient data lives and who has access to it.

FAQs

Why do healthcare breaches often lead to class action lawsuits?

Patients may claim harm based on increased identity theft risk, loss of privacy, or costs associated with monitoring and mitigation, even if misuse is not confirmed.

Does a settlement mean the provider admitted wrongdoing?

No. Settlements typically include explicit denials of liability and are often reached to avoid prolonged litigation and expense.

Why are Social Security numbers treated differently in breach cases?

They are considered high risk identifiers because they are difficult to change and can be used for long term identity fraud.

What factors influence settlement amounts?

Courts and parties consider the number of affected individuals, the types of data involved, the strength of legal claims, and the cost of ongoing litigation.

What should patients do after receiving a breach notice?

They should review the notice carefully, monitor financial and medical statements, consider fraud alerts or credit freezes, and remain cautious of unsolicited communications referencing the incident.