If you were a patient of Cardiovascular Consultants, the large cardiology practice serving the Phoenix metropolitan area, your medical records may have been part of a 2023 data breach that exposed the personal and health information of 484,000 people. A class action settlement now entitles affected patients to claim up to $5,000 in documented losses and enroll in two years of free credit and identity monitoring. The deadline to file is July 1.
The breach is logged on the U.S. Department of Health and Human Services HIPAA Breach Portal, which publicly tracks healthcare data incidents affecting 500 or more individuals. HHS categorized the Cardiovascular Consultants incident as a hacking/IT event, making it one of the largest healthcare breaches reported in 2023.
What was exposed and why it matters
According to breach notification letters sent to patients, the compromised data may include names, dates of birth, Social Security numbers, health insurance details, and medical records covering diagnoses and treatment histories. For cardiology patients specifically, that information can paint a detailed picture of chronic heart conditions, surgical procedures, and prescription regimens.
That level of detail makes the data valuable to identity thieves. Stolen medical records can be used to file fraudulent insurance claims, obtain prescription drugs, or build synthetic identities. Under HIPAA’s breach notification rules, Cardiovascular Consultants was required to notify every affected patient individually, report the breach to HHS, and issue a public notice given the scale of the incident. The practice completed those steps, which is how the breach entered the federal record.
How the settlement works
The settlement, reached through a class action lawsuit filed on behalf of patients whose data was compromised, offers two tracks of relief:
Documented losses up to $5,000. Patients who can show out-of-pocket expenses tied to the breach, such as fraudulent charges, credit repair fees, costs for freezing or unfreezing credit reports, or time spent resolving identity theft, may claim reimbursement up to that cap. Supporting documentation like bank statements, receipts, or police reports strengthens a claim.
Two years of free monitoring. All 484,000 eligible patients can enroll in credit monitoring and identity protection services at no cost, regardless of whether they file a monetary claim. This monitoring can flag new accounts, hard credit inquiries, or changes to public records tied to a patient’s identity.
“Patients who received a written notice should follow the instructions in that mailing carefully,” said a representative for the settlement administrator in correspondence reviewed for this article. The notice typically includes a unique claim number and a link to the settlement website. Those who believe they were affected but did not receive a notice can confirm the incident on the HHS Breach Portal and contact Cardiovascular Consultants directly for claim details.
How this compares to other healthcare breach settlements
The $5,000 per-person cap falls within the range seen in other major healthcare breach settlements, though the actual payout any individual receives depends heavily on how many people file and what losses they can prove.
For context: the 2017 Anthem settlement, which resolved claims stemming from a breach that affected roughly 79 million people, offered up to $10,000 for documented losses. Community Health Systems, after a 2014 breach affecting 4.5 million patients, reached a $3.1 million settlement that translated to modest individual payments once divided among claimants and attorneys.
In most data breach settlements, participation rates are low. Only a small fraction of eligible individuals, often in the single digits as a percentage, actually file. That pattern can work in favor of patients who do submit claims, since a smaller pool means faster processing and potentially fuller payouts.
The $5,000 figure, in other words, is a ceiling. Patients with clear documentation of fraud or breach-related expenses are positioned to recover the most.
What remains unclear about the settlement terms
The HHS portal confirms the scale and category of the incident but does not publish settlement terms, payment structures, or claim deadlines. The $5,000 cap, the two-year monitoring period, and the July 1 deadline are drawn from settlement notices distributed to affected patients and posted by the settlement administrator. These terms have not been independently verified against a publicly available court filing or regulatory order. That does not make them unreliable, but patients should confirm the details through their own notice letter or the settlement administrator’s website before filing.
Cardiovascular Consultants has not publicly disclosed the specific attack vector, such as whether the breach resulted from ransomware, a phishing attack, or another form of network intrusion. The practice has also not named the threat actor. Those details may emerge if the Office for Civil Rights pursues a separate enforcement action or if court filings in the class action become more widely available.
Steps to take before the July 1 deadline
Patients who received care from Cardiovascular Consultants and believe their data may have been compromised should act before the filing window closes.
Locate your settlement notice. Check mail and email for correspondence from the practice or the settlement administrator. The notice will contain your unique claim number and filing instructions.
Gather evidence of losses. Review bank and credit card statements from 2023 through the present for unauthorized charges. Collect receipts for any expenses you incurred while responding to potential identity theft, including credit monitoring services you purchased on your own, fees for credit freezes, or costs for notarizing fraud affidavits.
File your claim before July 1. Late submissions are unlikely to be accepted. Even if you have not noticed suspicious activity, enrolling in the free two-year monitoring is worth the few minutes it takes. Stolen medical data can surface months or even years after a breach, and the monitoring provides an early warning system at no cost.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
