Henderson & Walton Women’s Center settles class action lawsuit

Henderson & Walton Women’s Center, P.C., a Birmingham, Alabama women’s healthcare provider, has agreed to settle a class action lawsuit tied to a 2022 cybersecurity incident.

What happened

The lawsuit, Townsel v. Henderson & Walton Women’s Center, P.C., was filed in the Circuit Court of Jefferson County, Alabama. Plaintiff Kim Townsel alleged the practice failed to use reasonable safeguards to protect patients’ personal information and protected health information, bringing claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Henderson & Walton denies any wrongdoing, liability, or improper conduct, yet agreed to resolve the case to avoid the cost, disruption, and uncertainty of ongoing litigation. The court has preliminarily approved the settlement, which allows eligible class members to seek reimbursement for ordinary losses, extraordinary losses, and lost time, along with three years of medical and credit monitoring services. Key dates include a June 29, 2026 objection deadline, a July 13, 2026 exclusion deadline, an August 27, 2026 claim deadline, and an August 12, 2026 final approval hearing.

The backstory

The incident involved access to an employee email account. Henderson & Walton later reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). The breach affected 34,306 patients and may have involved names, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and state ID numbers.

What was said

According to the court filing for the lawsuit, “On February 29, 2024, as a result of the Cybersecurity Incident, Plaintiff filed a Class Action Complaint (“Complaint”) against Henderson, in the Circuit Court of Jefferson County, Alabama, asserting causes of action for: (1) negligence; (2) negligence per se; (3) breach of implied contract; and (4) breach of fiduciary duty; and (5) unjust enrichment, seeking to represent a nationwide class of aggrieved individuals.”

In the know

Under HIPAA, the incident would be treated as a breach of unauthorized access to unsecured PHI. The allegation over reasonable safeguards speaks to the compliance issue behind the breach. HIPAA requires covered entities to protect PHI through reasonable administrative, physical, and technical safeguards.

Healthcare breaches often expose more than a technical weakness. They can also reveal workflow gaps and access problems. In the study Human Factors in Electronic Health Records Cybersecurity Breach, the authors wrote, “We found that a vast majority of health records were compromised due to poor human security.” The point is that a breach may be reported as a hacking or IT incident, yet the underlying risk often comes from a variety of gaps that leave access to sensitive information.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Is a hacking or IT incident always a HIPAA breach?

No. A cyber incident becomes a HIPAA breach when unsecured protected health information is accessed, acquired, used, or disclosed in a way HIPAA does not permit.

What does unsecured PHI mean?

PHI that has not been made unreadable, unusable, or indecipherable to unauthorized people through approved methods such as encryption or destruction.

Who must be notified after a hacking or IT incident?

Covered entities must notify affected individuals, the HHS Secretary, and, in some cases, the media.