Gryphon Healthcare, a Houston, Texas-based organization that provides a variety of technical services to healthcare companies, recently agreed to settle a lawsuit stemming from a July 2024 cyberattack that impacted one of Gryphon’s healthcare partners. The incident impacted 393,358 individuals, leading to numerous pieces of data being accessed, including victims’ names, dates of birth, addresses, Social Security numbers, dates of services, diagnoses, medical treatment information, and more.
Ultimately, Gryphon Healthcare agreed to a settlement agreement to avoid a potentially long and costly litigation battle. A settlement of $2.87 million, which is expected to be approved, will go towards legal fees, administrative costs, service awards, and class members.
The lawsuit, Morris et al., v. Gryphon Healthcare, LLC, was the result of eight consolidated complaints that alleged Gryphon was negligent, in breach of implied contract, fiduciary duty, and confidence, and failed to provide adequate notice to victims, among other allegations.
As part of the settlement, Gryphon Healthcare denies any wrongdoing or liability for the incident. A final fairness hearing is scheduled for August 31st, 2026.
The lawsuit argued that Gryphon failed to implement reasonable cybersecurity measures, and that failure resulted in a breach. The lawsuit further argues that if Gryphon had better defense measures in line with industry standards, the breach would have been prevented.
A through-line in many class action lawsuits is whether or not the organization could have prevented the incident from taking place. Proper data security measures, like using an email encryption service like Paubox, can both prevent a data breach, and help organizations defend their current cybersecurity practices. Data breaches alone can be difficult to recover from, forcing organizations to examine their security practices, notify patients, and improve. Lawsuits can add additional challenges and bring breaches further into the limelight, leading to loss of patient trust and reputation risks.
Class action suits can easily be against third parties, just like in this case against Gryphon Healthcare. Just a few weeks ago, Paubox reported on a settlement against Continuum Health Alliance. In this case, the incident impacted slightly less individuals (approximately 377,000), and resulted in a settlement of $1.3 million, showing the wide range in settlement agreements.
According to HIPAA’s Breach Notification Rule, organizations must notify victims within 60 days of discovering a data breach. Gryphon discovered the incident in August, 2024, and notified victims on October 11th, 2024. The exact date of discovery would determine if Gryphon violated the notification rule, but the allegation highlights the need for organizations to clearly and promptly notify victims. In some cases, notification may also be delayed if it could impede investigation, but this decision would be made with guidance from law enforcement and forensic teams.
It’s unlikely for any other lawsuits to emerge after this incident settles, as settlements generally prohibit additional legal action. However, if any individuals choose to opt out of the settlement, they may be able to, under certain circumstances, file a separate lawsuit.