General Physician, P.C faces $2.5M settlement over massive data breach

General Physician, P.C., a medical group serving patients in Western New York, agreed to pay $2.5 million to settle a class action lawsuit stemming from a 2024 data breach.

What happened

The organization discovered suspicious activity in its email environment on June 12, 2024. A forensic investigation later determined that an unauthorized third party had accessed the email system from April 6, 2024, through June 12, 2024. According to filings, information potentially exposed during that period included patients’ names and treatment data.

The incident was initially reported to the U.S. Department of Health and Human Services’ Office for Civil Rights with a placeholder figure of 501 affected individuals, but the total was subsequently updated to 167,387. Multiple lawsuits were filed alleging that the practice failed to implement reasonable cybersecurity safeguards to protect sensitive data.

The cases were consolidated as Newhart v. General Physician, P.C. in the Supreme Court of the State of New York, County of Erie. Although the company denied liability, it agreed to establish a $2.5 million settlement fund to resolve the claims.

In the know

The breach and settlement follow another similar email intrusion incident in the state. In this case, EyeMed Vision Care agreed to pay $5 million to settle consolidated class action lawsuits arising from a 2020 phishing attack that compromised an employee's email account and exposed customer data.

What was said

According to a Notice of Proposed Class Action Settlement, “The Court did not decide in favor of the Plaintiffs or Defendant. The Defendant denies all claims and contends that it has not violated any laws.”

Why it matters

A 2025 Paubox report found that 92% of healthcare IT leaders express confidence in their ability to prevent email breaches, yet many organizations rely on outdated systems, misconfigured tools, and practices that depend on individual users to secure messages, creating a confidence gap between perceived and actual security.

Email remains the top attack vector for healthcare breaches, with human error and inadequate email authentication protocols such as DMARC and SPF contributing to rampant vulnerabilities. The report also notes that most healthcare organizations spend less than 10% of their IT budget on cybersecurity, and cumbersome security tools often lead staff to bypass safeguards, further increasing risk.

These systemic issues help explain why email-based phishing and unauthorized access continue to drive costly breaches and subsequent litigation.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What constitutes a HIPAA breach involving email?

A breach occurs when unsecured PHI is emailed without encryption or proper safeguards, allowing unauthorized access, or via phishing, compromising accounts with PHI.

What violates HIPAA in email communications?

Unencrypted PHI attachments, lack of BAAs with providers, no audit logs, and insecure forwarding expose data, risking fines up to $50,000 per violation.

What must be done after an email data breach?

Assess if PHI was acquired (presumed unless low probability), notify affected within 60 days, HHS within 60 days for >500, and media for statewide breaches.