Memorial Hospital and Manor located in Bainbridge, Georgia, suffered a ransomware attack and data breach in November 2024. As a result, class action lawsuits were filed against the hospital. On November 2, 2024, the rural hospital discovered the ransomware attack and prevented access to its EMR system, website, and email account. The following day, the HIPAA-regulated hospital posted a notification about the attack on its Facebook account. On February 7, 2025, Memorial Hospital and Manor sent notification letters to the impacted individuals. The breach report submitted to the HHS’ Office for Civil Rights indicated that the breach compromised the protected health information (PHI) of 120,085 individuals. The breached data included names, Social Security numbers, birth dates, medical insurance data, medical treatment details, and medical backgrounds.
On February 10, 2025, plaintiff Morgan Wade filed the first class action lawsuit in the District Court for the Middle District of Georgia, Albany Division. Other affected patients filed another 9 class action lawsuits. In the State Court of Decatur County, Georgia, all the lawsuits had been consolidated and filed as a single complaint – Smith et al. v. The Hospital Authority of the City of Bainbridge and Decatur County d/b/a Memorial Hospital and Manor, because the lawsuits had identical claims with overlapping classes. Several claims asserted in the consolidated lawsuit included negligence for not implementing reasonable and proper safety measures to ensure the privacy of patient information kept on its system. Memorial Hospital and Manor does not admit to any wrongdoing; nevertheless, all parties decided to resolve the lawsuit to avert the costs and uncertainty of a trial and correlated appeals.
Based on the settlement agreement, the class is made up of roughly 105,000 present and past patients who received notifications about the data breach. The terms of the settlement state that class members could file a claim for refund of documented, unreimbursed losses brought about by the data breach up to $5,000, and can claim as much as $100 as a refund for lost time (up to 4 hours valued at $25 an hour). Instead of filing a claim for compensation for losses and lost time, class members could opt for a $40 cash payment. Class members are likewise eligible to sign up for the CyEx Medical Shield Pro medical data tracking service for one year. The service comes with a $1,000,000 coverage for medical identity theft insurance.
The court already gave preliminary approval of the settlement. The final fairness hearing is on January 20, 2026. The last day to submit a claim is January 5, 2026, and those who wish to object to or opt out of the settlement can do so until December 22, 2025.