Cyberattack Settlements Reached by New Liberty Hospital, New York Blood Center, and Memorial Blood Centers
Three healthcare organizations—New Liberty Hospital (Missouri), New York Blood Center, and Memorial Blood Centers (Minnesota)—have settled class action lawsuits stemming from cyberattacks that exposed sensitive patient and donor data.
New Liberty Hospital (Missouri)
In December 2023, New Liberty Hospital suffered a cyberattack where attackers claimed to have exfiltrated protected health information (PHI) of 264,541 individuals, including names, Social Security numbers, medical records, and insurance details. While it remains unclear if data was encrypted, a ransom note was received, and the breach was confirmed in an investigation. Affected individuals were notified in February 2024.
Two lawsuits filed in January and February 2024 were consolidated into C.P. et al. v. New Liberty Hospital Corporation in the District Court of Clay County, Missouri. The suits alleged negligence, breach of confidentiality, and violations of the Missouri Merchandising Practices Act, among other claims. Though the hospital denies wrongdoing, it agreed to a $1.5 million settlement to avoid litigation costs.
The settlement fund will cover attorneys’ fees, administrative costs, and payments to class members, with individuals eligible for up to $500 in documented loss reimbursements or an estimated $150 cash payment. Additionally, the hospital will invest over $1 million in cybersecurity upgrades. The claim deadline is January 12, 2026, with a final approval hearing set for January 20, 2026.
New York Blood Center & Memorial Blood Centers
In January 2025, hackers breached systems at the New York Blood Center and Memorial Blood Centers, exposing data of 18,487 employees and 175,335 donors, including names, Social Security numbers, blood test results, and financial information.
Multiple lawsuits were consolidated into Dean, et al. v. New York Blood Center, Inc., et al in the Ramsey County District Court, Minnesota, alleging negligence in failing to secure sensitive data. The organizations deny liability but agreed to a $500,000 settlement to resolve the case.
The fund will cover attorneys’ fees (up to $166,666.66), expenses, and service awards, with remaining funds allocated to class members. Affected individuals may claim up to $2,500 for documented losses or an estimated $20 cash payment, along with a one-year medical data monitoring service with $1 million identity theft insurance. The objection deadline is January 12, 2026, with claims due by February 11, 2026, and a final approval hearing on February 10, 2026.
Memorial Blood Centers cybersecurity rating report: https://www.rankiteo.com/company/memorial-blood-centers
"id": "MEM1767094776",
"linkid": "memorial-blood-centers",
"type": "Cyber Attack",
"date": "12/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '264,541 individuals',
'industry': 'Healthcare',
'location': 'Missouri, USA',
'name': 'New Liberty Hospital Corporation',
'type': 'Hospital'},
{'customers_affected': '18,487 employees + 175,335 '
'donors',
'industry': 'Healthcare/Non-Profit',
'location': 'New York, USA',
'name': 'New York Blood Center',
'type': 'Blood Center'},
{'customers_affected': '18,487 employees + 175,335 '
'donors',
'industry': 'Healthcare/Non-Profit',
'location': 'Minnesota, USA',
'name': 'Memorial Blood Centers',
'type': 'Blood Center'}],
'customer_advisories': 'Breach notifications sent to affected individuals '
'(Liberty Hospital: Feb 8, 2024; NY Blood Center: '
'post-January 2025)',
'data_breach': {'data_encryption': 'Unclear (Liberty Hospital: not confirmed '
'if data was encrypted)',
'data_exfiltration': 'Confirmed (Liberty Hospital: attacker '
'claimed to have downloaded data)',
'number_of_records_exposed': '264,541 (Liberty Hospital) + '
'193,822 (NY Blood Center & '
'Memorial Blood Centers)',
'personally_identifiable_information': 'Yes (names, '
'addresses, SSNs, '
'DOBs, etc.)',
'sensitivity_of_data': 'High (medical, financial, and PII)',
'type_of_data_compromised': ['Protected health information',
'Personally identifiable '
'information',
'Financial information',
'Medical records',
'Social Security numbers',
'Government IDs']},
'date_detected': '2023-12-19',
'date_publicly_disclosed': '2024-02-08',
'description': 'New Liberty Hospital in Missouri, Memorial Blood Centers in '
'Minnesota, and the New York Blood Center have settled class '
'action lawsuits over cyberattacks that exposed patient and '
'donor data.',
'impact': {'brand_reputation_impact': 'Likely negative impact due to lawsuits '
'and settlements',
'data_compromised': 'Protected health information, personally '
'identifiable information, financial '
'information, medical records, Social Security '
'numbers, health insurance information, '
'driver’s license numbers, government ID '
'numbers, blood test results',
'financial_loss': '$1,500,000 (Liberty Hospital settlement) + '
'$500,000 (NY Blood Center & Memorial Blood '
'Centers settlement)',
'identity_theft_risk': 'High (SSNs, medical records, financial '
'data exposed)',
'legal_liabilities': 'Class action lawsuits, regulatory violations '
'(HIPAA likely)',
'payment_information_risk': 'Moderate (financial information for '
'direct deposits exposed)'},
'investigation_status': 'Settled (class action lawsuits resolved)',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Cybersecurity enhancements '
'(Liberty Hospital: $1M+ '
'investment)',
'root_causes': 'Inadequate security measures to '
'protect sensitive data'},
'ransomware': {'data_encryption': 'Unclear (Liberty Hospital)',
'data_exfiltration': 'Yes (Liberty Hospital)',
'ransom_demanded': 'Yes (Liberty Hospital received a ransom '
'note)'},
'recommendations': 'Invest in cybersecurity enhancements, implement stronger '
'data protection measures, and ensure timely breach '
'notifications.',
'references': [{'source': 'HIPAA Journal'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuits settled',
'regulations_violated': ['HIPAA (likely)']},
'response': {'communication_strategy': 'Public disclosure via notifications '
'(Liberty Hospital: Feb 8, 2024; NY '
'Blood Center: post-January 2025 '
'breach)',
'enhanced_monitoring': 'Liberty Hospital agreed to invest '
'$1,000,000+ in cybersecurity '
'enhancements'},
'title': 'New Liberty Hospital; New York Blood Center; Memorial Blood Centers '
'Data Breach Settlements',
'type': 'Data Breach'}