A nearly $50 million settlement has received preliminary approval to resolve multiple class action lawsuits stemming from a 2022 ransomware attack that exposed sensitive data from millions of patients across California and neighboring states.
A California court has granted preliminary approval for a $49.99 million settlement involving Heritage Provider Network, Regal Medical Group, and several affiliated healthcare organizations following a major data breach in December 2022. The breach affected more than 3.4 million individuals after hackers gained access to servers containing personally identifiable and protected health information, including names, addresses, Social Security numbers, and medical data.
The attack began on or before December 1, 2022, and was discovered a week later after staff reported access issues. The defendants began issuing breach notifications in February 2023, as required by HIPAA.
The breach triggered 26 separate lawsuits, later consolidated into Head, et al. v. Regal Medical Group, Inc., et al. The plaintiffs accused the defendants of negligence and violations of multiple state and federal privacy laws, including the California Consumer Privacy Act and HIPAA. They claimed Heritage and its affiliates failed to implement reasonable cybersecurity safeguards, encrypt sensitive data, and promptly notify affected individuals.
The defendants maintain there was no wrongdoing, but agreed to settle to avoid ongoing legal expenses and the uncertainty of a trial. After three mediation sessions, Superior Court Judge Timothy P. Dillon approved the preliminary settlement terms.
Court documents show the plaintiffs argued that the defendants “failed to take and implement adequate and reasonable measures” to secure sensitive health data despite knowing the risks of cyberattacks in healthcare. Multiple lawsuits referenced emotional distress, financial losses, and ongoing fears of identity theft among victims.
Heritage Provider Network and its affiliates continue to deny any liability or wrongdoing, but said the settlement tried to provide a resolution and support for those affected.
According to Paubox’s State of Healthcare Email Security Report, ransomware remains one of the most damaging and costly threats in healthcare, with attacks on providers increasing by 264% since 2018. The report shows that many large health systems struggle with complex infrastructures, misconfigurations, and compliance gaps that leave millions of patient records at risk. With the average cost of a healthcare data breach reaching $11 million in 2025, the highest of any industry, these systemic weaknesses translate directly into massive financial exposure. The recent $49.99 million Heritage Provider Network settlement reflects the growing trend of costly legal and regulatory fallout when organizations fail to maintain provable, proactive cybersecurity safeguards.
Ransomware attacks and data breaches have surged across healthcare networks, prompting more collective legal action as patients seek compensation for privacy violations and emotional distress.
Payouts depend on the number of approved claims, documented financial losses, and overall participation. The remaining settlement funds will be divided proportionally among claimants.
The settlement signals to other healthcare networks that inadequate cybersecurity can lead to costly litigation and regulatory action, encouraging stronger compliance and vendor oversight.
Eligible individuals will receive official notifications with instructions on how to file claims online or by mail before the December 22, 2025, deadline.
Yes. Once finalized, the settlement will release Heritage Provider Network and its affiliates from further legal claims related to the 2022 data breach.