In April 2023, Morris Hospital data breach & Healthcare Centers in Illinois suffered a cyberattack. Hacks perpetrated by the Royal ransomware group gained access to the hospital’s systems, compromising and disclosing sensitive personal and health information of nearly 248,943 individuals including patients, employees, dependents, and beneficiaries. This Morris Hospital data breach prompted multiple legal actions soon thereafter.
Multiple lawsuits were filed soon thereafter against the hospital. The plaintiffs allege the hospital did not maintain reasonable cybersecurity at the time of the attack. The claims include negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and Morris Hospital HIPAA violation under federal privacy law.
What the Settlement Means
In order to conclusively resolve the matter of litigation, Morris Hospital has agreed to a class-action settlement totaling $1,361,571.77. The settlement, formally referred to as the Morris Hospital patient data breach settlement, will consist of various distribution areas. It includes attorney fees, paid/reimbursed administrative expenses, service awards to class representatives, and monetary relief to those who were directly affected.
Although the hospital denied any and all liability, it has specified that settling the action is the better option. Actively litigating the matter would ultimately create more fabulous expenses and added risk for all parties. Morris Hospital to pay $1.36 million settlement shows the hospital’s commitment to resolving the incident while affording relief to those affected.
Benefits for Affected Individuals
If you are someone who was involved in the Morris Hospital data breach and were sent a formal notice by Morris Hospital, you have the option to claim under the settlement.
Eligible claimants have two options:
- People may be able to claim a maximum of $5,000 from their actual out-of-pocket expenses related to the Morris Hospital data breach. Examples of these expenses include losses from fraud, credit monitoring fees, phone or data charges, bank fees, etc.
- If someone did not incur any documented expenses, they may still receive a cash payment expected to be around $100. The final amount will be finalized based on the actual number of valid claims made and available funds after administrative expenses are deducted.
Further, all class members are entitled to 24 months of complimentary credit monitoring services, identity theft protection services, medical monitoring services, and fraud resolution assistance. These benefits are useful for members who have had their sensitive personal data compromised, as they provide both immediate relief and longer-term coverage.
Key Deadlines and Legal Steps
To be eligible for settlement benefits, class members must file a valid claim form by July 31, 2025.
If someone would like to object to the terms of settlement or request to opt out of the Morris Hospital data breach class action, then they should do so prior to September 29, 2025.
A final fairness hearing is scheduled for October 24, 2025. At that time, the court will review the terms of settlement and determine whether to finalize approval of the Morris Hospital settlement.
What This Really Means
Although the settlement does not imply any wrongdoing on Morris Hospital’s part, it does ensure that those impacted by the data exposure are compensated and kept safe. The price for the inclusion of credit and medical monitoring is especially critical, as it reduces the chances of a more insidious long-term compromise of stolen private information.
This is especially important because the extent of the breach is a reminder of the challenges faced by those in the healthcare space in respect to data security. Hidden vulnerabilities exist in systems that one may believe have been adequately secured, and opportunities for exploitation by criminals to craft working scenarios of deception add to the risks. Cybercriminals succeed almost daily with exploits that go undiscovered or unaddressed. Additionally, cybercriminals see where they know entities have meaningful criminal opportunities and make good of the weaknesses, followed very quickly by a multitude of lawsuits, record financial settlements, and unfortunate reputational damage. This incident even gave rise to a Morris Hospital data privacy lawsuit in some jurisdictions.
For those victims affected, perhaps the case exemplifies the opportunity for civil redress about loss or damage caused by data breaches. For those in the health sector, it signals the urgent need to take necessary steps to mitigate any potential Cyber exposure wherever possible, because losing patient trust will see health institutions disintegrate under the siloed data construct imposed upon them.
Essentially, this settlement, at a significant cost, recognizes accountability factors while trying in good faith to resolve things in practical terms. At least, the case purveys the importance of a restorative justice paradigm and a structured mechanism to compensate victims while re-emphasizing a pivot to genuine data security practices throughout health institutions. The Morris Hospital to pay $1.36 million settlement and other agreements demonstrate the tangible consequences of a Morris Hospital HIPAA violation, highlighting why healthcare organizations must prioritize safeguarding patient information.
Read Also: I Built a $1.5 Billion Startup — What Actually Drove Our Success
