NetGain to pay $1.9 million in settlement

NetGain will pay $1.9 million to settle a lawsuit over a ransomware attack that exposed sensitive patient data from its healthcare clients.

What happened

NetGain has agreed to a $1.9 million settlement to resolve a class action lawsuit stemming from a 2020 ransomware attack. The Minnesota-based cloud hosting and managed IT provider, which serves many healthcare clients, suffered a cyberattack that exposed highly sensitive personal and medical information. The breach occurred between September and December 2020, with ransomware deployed on November 24. The attackers accessed and exfiltrated data from thousands of Netgain servers.

Going deeper

The stolen data included names, contact information, birth dates, Social Security numbers, medical records, and financial information from healthcare provider clients. The breach led to a series of lawsuits, with the first filed by Misty Meier and Jane Doe in May 2021. Additional plaintiffs followed, and the cases were consolidated into a single class action, In Re: Netgain Technology, LLC, Consumer Data Breach Litigation, under the United States District Court for the District of Minnesota.

While some of the plaintiffs’ claims were dismissed, the court allowed causes of action for negligence and declaratory judgment to proceed. Under the settlement terms, class members can claim up to $5,000 for documented financial losses or time spent resolving issues caused by the breach. Any leftover funds in the $1.9 million pool will be distributed evenly among the class.

What was said

The court has given preliminary approval to the settlement, marking a step toward closure for those affected. In addition to monetary relief, Netgain has committed to a three-year period of injunctive measures aimed at bolstering cybersecurity.

These measures include firewall upgrades, geo-blocking, secure gateway routing, enhanced virus prevention, multi-factor authentication in hosting environments, secure backup protection, and scalable network configurations, all aimed at preventing a repeat of the 2020 incident.

The big picture

The NetGain case marks a turning point in how liability is viewed in healthcare cybersecurity. It’s no longer just the hospitals and clinics under scrutiny, vendors are now firmly in the legal crosshairs. As patient data flows through a growing web of third-party platforms, this settlement signals a shift: security failures aren’t just technical issues; they’re legal and financial risks with long-term fallout.

FAQs

Why is this settlement significant for the healthcare industry?

It shows the growing accountability of IT vendors handling patient data and sets a legal precedent for third-party breach liability.

What risks do healthcare providers face when using third-party IT vendors like Netgain?

They risk regulatory penalties, patient trust erosion, and litigation—even if their own systems weren’t breached, because data security obligations extend to vendors.

How common are ransomware attacks on healthcare-related vendors?

Extremely common, healthcare vendors are high-value targets due to the sensitivity and volume of patient data they manage.

What does this case reveal about legal consequences for cybersecurity failures?

Even when some claims are dismissed, courts may allow negligence cases to proceed if there’s evidence of poor security practices.

How might this affect future contracts with healthcare IT providers?

Clients may demand stricter cybersecurity guarantees, audit rights, and indemnity clauses to protect against third-party breaches.