Privacy as a market risk

A health-data breach can turn into a balance-sheet problem fast. Memorial Heart Institute agreed this week to pay $3.75 million to settle litigation over a 2023 cyberattack. (chattanoogan.com) The Tennessee provider, which does business as Chattanooga Heart Institute, said an unauthorized party had access to its network from March 8 to March 16, 2023. The attack was identified on April 17, 2023, and the settlement’s final fairness hearing is set for May 28, 2026. (hipaajournal.com) Court and settlement records say about 460,000 people may have had private information exposed, including about 287,000 whose Social Security numbers were involved. The data at issue included names, contact details, dates of birth, insurance information, lab results, medications, and other clinical or financial records. (produseksacafa.blob.core.windows.net) The proposed deal splits the money into two pools: a non-reversionary $2 million fund for the Social Security number subclass and up to $1.75 million for the broader class. Class members can seek up to $5,500 for documented losses and elect two years of monitoring services. (hipaajournal.com) Federal officials are widening the privacy discussion beyond hospitals and insurers. On March 31, 2026, the Federal Bureau of Investigation’s Internet Crime Complaint Center warned that foreign-developed mobile apps used in the United States can collect contacts, addresses, user IDs, prompts, and other device data, and may store that information on servers in China. (ic3.gov) The bureau said some apps can keep collecting data across a device after a user grants permissions, not just inside the app while it is open. It also said some services offer a local-download option that can keep queries on the device instead of sending them to a cloud service. (ic3.gov) In healthcare, the same question is moving into artificial-intelligence tools: where does the data go after a prompt is sent. The Centers for Medicare & Medicaid Services told staff and contractors in 2025 to protect personally identifiable information and protected health information when using generative artificial-intelligence tools, including third-party platforms. (security.cms.gov) The Department of Health and Human Services has also been tightening guidance around digital tracking and health privacy. Its Office for Civil Rights says HIPAA governs breaches of protected health information affecting 500 or more people, and it updated guidance on online tracking technologies in March 2024. (hhs.gov) (networkforphl.org) Memorial Heart Institute did not admit liability in the settlement. The case shows how a single privacy failure can produce years of court costs, monitoring claims, and public scrutiny long after the network intrusion ends. (chattanoogan.com)