Staten Island University Hospital settles lawsuit tied to vendor breach

The New York hospital has agreed to resolve a class action lawsuit stemming from a 2024 breach at one of its business associates.

What happened

Staten Island University Hospital agreed to settle a class action lawsuit following a January 2024 data breach at The Medibase Group Inc., a business associate that provides healthcare and back-office services. According to settlement documents, Medibase informed the hospital around May 8, 2024, that an unauthorized third party had accessed systems containing protected health information of 35,106 individuals, including names, Social Security numbers, dates of birth, medical details, and health insurance information. Notification letters were sent to affected patients on July 5, 2024. The lawsuit, Santiago et al. v. Staten Island University Hospital, was filed in the Superior Court of Cherokee County, Georgia, alleging that reasonable safeguards were not in place to protect patient data.

Going deeper

The complaint alleged negligence, negligence per se, breach of implied contract, and unjust enrichment, meaning the hospital was accused of failing to exercise reasonable care, violating legal duties, breaking implied promises to protect patient data, and benefiting unfairly despite the breach. Staten Island University Hospital denied wrongdoing and liability but agreed to settle to avoid the cost and disruption of continued litigation. Deadlines for opting out, submitting claims, and the final court approval hearing are scheduled for March 2026. The case shows continued legal scrutiny when a breach occurs within a healthcare vendor’s systems rather than directly inside a hospital’s own network.

What was said

In the settlement agreement, Staten Island University Hospital states that it entered into the agreement “to resolve all controversies and disputes arising from or relating to the Data Incident” and “to avoid the litigation costs, expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation.” The hospital further states that it “does not in any way acknowledge, admit, or concede” the allegations made in the complaint and “expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted.” The agreement also specifies that nothing in the settlement may be used or construed as an admission of liability in any court or proceeding.

Separately, the agreement notes that plaintiffs received assurances that the hospital no longer conducts business with Medibase, the vendor involved in the incident.

The big picture

The case follows a pattern of escalating litigation where "reasonable safeguards" are scrutinized. As noted in the Paubox 2025 Healthcare Email Security Report, similar incidents like the Solara Medical Supplies breach resulted in a $9.76 million class action settlement, proving that the financial fallout often dwarfs the cost of the initial security investment. The sources suggest these breaches persist because organizations report "limited visibility into third-party cybersecurity controls" and often rely on legal Business Associate Agreements (BAAs) instead of enforcing technical safeguards at the point of transmission. With it taking an average of 10 months to detect and contain a healthcare breach, the delay in discovering the Medibase incident (from January to May) fits a systemic trend of "operational cracks" that leave sensitive PHI exposed to unauthorized actors for extended periods

FAQs

Are covered entities liable for breaches at their business associates?

Covered entities are required under HIPAA to obtain contractual assurances that business associates will safeguard protected health information and may face scrutiny if vendor oversight is inadequate.

What is a business associate under HIPAA?

A business associate is a person or organization that performs services for a covered entity and requires access to protected health information in order to carry out those services.

Why do settlements often occur without admission of liability?

Defendants frequently settle to limit legal expenses and operational disruption while avoiding extended litigation, even when they dispute the underlying allegations.

What types of damages are typically offered in healthcare breach settlements?

Settlements often include credit or medical monitoring services, identity theft insurance coverage, and reimbursement for documented out-of-pocket losses.

How do vendor breaches affect healthcare compliance programs?

Vendor-related incidents often prompt healthcare organizations to reassess third-party risk management practices, contract terms, and ongoing security monitoring to reduce regulatory and litigation exposure.