Illinois Bone and Joint Institute has agreed to a $4 million settlement to resolve consolidated class action litigation related to a 2024 cyberattack that exposed patient data of up to 665,321 individuals.
Incident Overview
Illinois Bone and Joint Institute identified unauthorized access to its computer systems on or around July 4, 2024. A forensic investigation determined that unauthorized actors accessed the network between May 30, 2024, and July 4, 2024, and copied files the include patient information. The following patient data were compromised: names, addresses, birth dates, Social Security numbers, diagnosis and treatment details, and medical insurance and claims details.
As a HIPAA-covered entity, Illinois Bone and Joint Institute reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights as affecting initially approximately 183,000 individuals. The reported total was later updated to 665,321 individuals. The litigation identifies approximately 568,000 individuals as part of the settlement class.
Litigation Details
Guy Redman filed the first class action lawsuit related to the incident in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. Other plaintiffs filed seven other lawsuits. All cases were consolidated into a single complaint due to overlapping claims.
The consolidated complaint stated claims that included invasion of privacy, negligence, unjust enrichment, breach of implied contract, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.
Illinois Bone and Joint Institute denied all claims and allegations presented in the litigation, including claims of fault, wrongdoing, and liability.
Settlement Terms
Mediation resulted in the decision of the parties to settle the litigation and avoid continued legal proceedings and trial uncertainty. The settlement has received preliminary approval from the court. A final fairness hearing is scheduled for July 1, 2026.
The agreement creates a $4 million settlement fund. The fund will cover attorneys’ fees and expenditures, service awards for class representatives, settlement administration and notification costs. The remaining settlement funds will be allotted for class member benefits.
Class Member Benefits
Class members are eligible to receive medical data monitoring services for two years. The settlement also provides refund for out-of-pocket losses associated with the data breach.
Eligible individuals may submit claims for up to $5,000 in documented, unreimbursed losses. Class members may also receive a pro rata cash payment valued at $50 per class member. The actual cash payment amount is to be determined based on the total number of approved claims.
Deadlines and Participation Requirements
The last day to submit a claim is July 1, 2026. Individuals who seek exclusion from the settlement or wish to object must do so by June 1, 2026.