Proliance Surgeons agrees to $4.45M settlement after ransomware breach

A Washington surgical group has reached a multimillion-dollar settlement to resolve litigation following a ransomware incident that exposed patient data.

What happened

Seattle-based Proliance Surgeons has agreed to a $4.45 million settlement to resolve consolidated class action litigation tied to a February 2023 ransomware attack and data breach. Hackers accessed the organization’s network on February 11, 2023, and exfiltrated files containing patient information. Notification letters were mailed to approximately 437,392 affected individuals in November 2023. Multiple lawsuits filed after the disclosure were later consolidated into a single case titled In re: Proliance Surgeons Data Breach Litigation in the Superior Court of the State of Washington for King County. Plaintiffs alleged the organization failed to implement adequate safeguards to protect personal and protected health information stored on its systems, allowing unauthorized access to data, including names, Social Security numbers, dates of birth, phone numbers, medical information, diagnosis and treatment data, insurance information, and medical record numbers.

Going deeper

The litigation centered on the delay in notifying patients after the breach was discovered, with the complaint stating that individuals received notification letters more than 280 days later, which plaintiffs said limited their ability to respond to potential identity theft. Proliance Surgeons denied all allegations of wrongdoing and said it chose to settle to avoid the uncertainty, expense, and burden of prolonged litigation. Under the settlement terms, the organization will establish a $4.45 million fund to cover class member benefits, administrative costs, and legal fees. Class members may claim reimbursement for documented losses up to $5,000, enroll in two years of medical identity monitoring services, or receive a pro rata cash payment of up to $599, depending on participation. The deadline to exclude oneself from the settlement or file objections is April 28, 2026, with claims due by May 28, 2026.

What was said

The consolidated complaint argued that the breach exposed patients to long-term harm and financial risk. Plaintiffs stated the incident had “caused irreparable harm to their personal, financial, reputational, and future well-being,” according to filings referenced in reporting on the case. Proliance Surgeons denied liability, however, agreed to the settlement to avoid continued litigation risk.

In the know

According to reporting by Teiss, the ransomware group behind the February 2023 Proliance Surgeons attack has not been publicly identified. The incident affected more than 400,000 patients and involved both data encryption and exfiltration, meaning attackers locked systems and stole sensitive information. However, the stolen data was not published on typical dark web leak sites, which has led to speculation that a ransom may have been paid. In contrast, other healthcare organizations, such as the Long Island Plastic Surgical Group, were later targeted by the BlackCat (ALPHV) ransomware group in 2024, however the Proliance attack itself remains officially unattributed.

The big picture

Healthcare continues to face some of the highest breach costs and legal exposure after cyber incidents. According to IBM’s Cost of a Data Breach Report 2024, healthcare has remained the most expensive industry for breach recovery for more than a decade, with average costs exceeding $10 million per incident. Large breaches affecting hundreds of thousands of patients often lead to class action lawsuits that examine data security practices, how quickly patients were notified, and whether organizations followed privacy regulations.

FAQs

Why do healthcare breaches often lead to class action lawsuits?

Medical records contain highly sensitive personal and financial information. When large numbers of patients are affected, plaintiffs frequently pursue collective legal action alleging negligence or violations of consumer protection and privacy laws.

What types of information were exposed in the Proliance breach?

Reported data elements included names, Social Security numbers, dates of birth, contact information, medical information, treatment details, insurance data, and medical record numbers.

Why is breach notification timing important in litigation?

Delayed notification can prevent individuals from monitoring accounts, placing fraud alerts, or taking steps to limit identity theft risks. Courts often assess whether organizations acted promptly after discovering an incident.

What is medical identity monitoring?

Medical identity monitoring services track misuse of personal and healthcare information, such as fraudulent medical claims or unauthorized use of health insurance.

What happens after a settlement like this is announced?

Affected individuals typically receive instructions explaining how to file claims, opt out, or object to the settlement before a court conducts a final fairness hearing to approve or reject the agreement.