LifeBridge Health has agreed to a $575,000 class action settlement to resolve claims stemming from a November 2024 data breach.

What happened

Baltimore-area health system LifeBridge Health Inc. has reached a $575,000 class action settlement with patients whose personal information may have been exposed in a cybersecurity incident disclosed last year. The settlement offers eligible members cash payments up to $5,000 for documented losses.

The backstory

In November 2024, LifeBridge Health notified patients that an unauthorized third party had gained access to its computer systems in a cybersecurity incident detected by the organization. Internal and third-party investigations found that sensitive personal information, such as names, dates of birth, medical record numbers, addresses, Social Security numbers, and, in some cases, limited treatment or insurance information, may have been accessed by the attacker.

The breach was later linked to a breach at a third-party electronic health records vendor, Oracle Health/Cerner.

Going deeper

Under the settlement terms, a $575,000 fund has been established to provide cash payments to eligible class members and to cover notice and administration costs, attorneys’ fees, and service awards for class representatives. Affected individuals may submit a claim for reimbursement of documented out-of-pocket losses of up to $5,000, with supporting evidence, or opt for a flat pro rata cash payment of approximately $100, without documentation.

In addition to the financial relief, LifeBridge has agreed to implement enhanced cybersecurity measures designed to strengthen system protections and reduce the risk of similar incidents in the future.

What was said

In the settlement documents, LifeBridge Health makes clear that it “denies any wrongdoing whatsoever” in connection with the November 2024 data incident and that “the Court has not ruled that Defendant did anything wrong,” emphasizing that agreeing to resolve the lawsuit does not mean the health system admits liability.

The official notice states that LifeBridge and the plaintiffs agreed to a settlement “to avoid the expense, delay, and uncertainty of continued litigation,” even though the company maintains it would have defended its practices at trial.

The settlement agreement itself reaffirms the core terms, noting that LifeBridge will establish the $575,000 fund to cover class members’ benefits along with costs, fees, and service awards, and that all Settlement Class Members will be eligible to recover compensation for documented losses as well as a flat cash payment.

The bigger picture

Class action lawsuits against healthcare providers over data breaches have become increasingly common as cyberattacks target medical records, which contain rich personal and protected health information (PHI). LifeBridge Health is one of several U.S. health systems to settle such claims in recent years. Previous litigation involving the system included a separate long-running lawsuit over a 2018 breach that led to a $9.5 million settlement, with millions spent on security improvements and patient reimbursement.

Just recently, Carespring Health Care Management agreed to settle a class action lawsuit concerning a data breach that, in October 2023, compromised the sensitive personal and medical information of 76,719 patients and residents.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What regulatory implications can arise from incidents like this?

Healthcare data breaches can trigger investigations under HIPAA and state privacy laws, along with potential reporting obligations to federal and state authorities. Even when resolved through civil litigation, organizations may face parallel regulatory scrutiny.

What financial risks extend beyond the settlement amount?

Total breach costs typically include forensic investigations, legal defense, regulatory response, patient notification, credit monitoring services, system remediation, business interruption, and reputational harm, often far exceeding the settlement fund itself.

Does a denial of wrongdoing reduce reputational risk?

Not necessarily. While legal denial protects against liability admission, public perception often centers on whether patient data was exposed and how effectively leadership responded.