Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, agreed to settle a consolidated class action lawsuit tied to a 2024 cyberattack and data breach.
What happened
IBJI said it detected unauthorized access to its systems on or around July 4, 2024, and a subsequent forensic investigation found that hackers had accessed its network from May 30 through July 4. During that time, the attackers copied files containing personal and medical information. The breach was initially reported to the HHS Office for Civil Rights as affecting about 183,000 individuals, but that total was later amended to 665,321. After the incident, a wave of legal action followed. Plaintiff Guy Redman filed the first lawsuit in Cook County, and other plaintiffs later filed seven additional lawsuits. As the cases raised similar allegations, they were consolidated into a single complaint. The lawsuit accused IBJI of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violating the Illinois Consumer Fraud and Deceptive Business Practices Act. IBJI denied the allegations and denied any wrongdoing, fault, or liability. Still, following mediation, the parties agreed to settle to avoid the cost, disruption, and uncertainty of prolonged litigation. The $4 million settlement has received preliminary court approval, and a final fairness hearing is scheduled for July 1, 2026.
What was said
According to the breach report, “IBJI detected unauthorized access to certain computer systems on the IBJI network. IBJI immediately initiated an investigation, retained cybersecurity experts and notified law enforcement. Through its IT infrastructure, IBJI took all steps to immediately secure its environment from any additional malicious activities in order to safeguard its systems.”
Why it matters
Recent healthcare cases show that IBJI is not an outlier. Shields Health Care Group agreed to a $15.35 million settlement after a 2022 breach affecting more than 2 million people, while PharMerica agreed to a $5.2 million settlement tied to a 2023 breach affecting more than 5.8 million individuals.
Kaiser, in a different but related privacy fight, agreed to a $46 million preliminary settlement over alleged web-tracking disclosures involving 13.4 million records. Healthcare cyber and privacy incidents are judged by how they start and how long the legal damage lasts.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
How are the Illinois consumer fraud law and HIPAA different?
The Illinois law is a state consumer-protection statute aimed at unfair or deceptive business conduct in trade or commerce. HIPAA is a federal health information law focused on the privacy, security, use, disclosure, and breach notification duties tied to protected health information.
Can the same healthcare incident raise issues under both laws?
Yes. A healthcare data incident can trigger HIPAA obligations around privacy, security, and breach notification, while also leading to state-law claims if plaintiffs argue the organization engaged in unfair or deceptive conduct.
Who enforces HIPAA?
HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints and also conducts compliance reviews.
Tshedimoso Makhene : March 3, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
