Alabama Cardiovascular Group Hit With $2.23M Data Breach Settlement 280,000 Patients Can Claim Up To $5,000 By March 6, 2026

Alabama Cardiovascular Group agreed to pay $2.23 million to settle a class action lawsuit over a July 2024 data breach that exposed names, Social Security numbers, medical records, and financial information of 280,534 patients. If you received a breach notification, you can file a claim at AlabamaCardioDataSettlement.com by March 6, 2026, for up to $5,000 in documented losses or a pro-rata cash payment, plus two years of free credit monitoring.

Healthcare data breaches affected 133 million Americans in 2023 alone—a 156% increase from the previous year. In July 2024, hackers gained access to Alabama Cardiovascular Group’s systems for nearly a month, stealing highly sensitive personal and health data from over 280,000 patients. Now those victims can finally claim compensation from a newly approved $2.23 million settlement—but the deadline is approaching fast.

What Happened: The July 2024 Alabama Cardiovascular Group Breach

On July 2, 2024, Alabama Cardiovascular Group discovered unauthorized access to its computer network. The breach window ran from June 6 through July 2, 2024—26 days of unrestricted access to patient records.

What hackers accessed:

• Full names and addresses
• Social Security numbers
• Dates of birth
• Medical record numbers
• Health insurance information and claims data
• Treatment and diagnosis information
• Driver’s license or passport numbers
• Credit/debit card details
• Bank account information
• Email addresses and phone numbers
• System usernames and passwords

The clinic disconnected its network immediately and terminated unauthorized access. But for nearly a month, cybercriminals had unrestricted access to one of Alabama’s largest cardiovascular practices.

Alabama Cardiovascular Group serves the Birmingham area and surrounding regions, specializing in heart and vascular care. The breach affected 280,534 current patients, former patients, guarantors, employees, and physicians.

Similar to recent healthcare breaches like the $13.75M WebTPA settlement affecting 2.4 million people, victims face long-term identity theft risks that extend far beyond the immediate breach.

The Lawsuit: What Patients Alleged

Three patients—Tammy Brown, Vanessa Brooks, and Emily Smith Sanders—filed a class action lawsuit in the Circuit Court of Jefferson County, Alabama (Case No. 01-CV-2024-903135).

Legal claims asserted:

Negligence. Failing to implement adequate cybersecurity safeguards to protect sensitive patient data.

Negligence per se. Violating statutory duties under Alabama data protection and healthcare privacy laws.

Breach of contract. Violating the implied agreement to protect patient information in exchange for medical services.

Breach of implied contract. Failing to honor the understood duty to safeguard data entrusted during the patient-provider relationship.

Unjust enrichment. Profiting from patient relationships while failing to invest adequately in data security.

Breach of fiduciary duty. Violating the special trust relationship between healthcare providers and patients.

Alabama Cardiovascular Group denied all allegations but agreed to settle to avoid the costs and uncertainties of prolonged litigation.

Judge Pat Ballard is overseeing the case, which received preliminary approval in December 2025.

The $2.23 Million Settlement: Who Qualifies and What You Get

Eligibility requirements:

✓ You received a written breach notification from Alabama Cardiovascular Group stating your information may have been compromised in the July 2, 2024 data breach

✓ You reside in the United States

That’s it. If you got the notice letter, you’re automatically a class member.

What you can claim:

Option 1: Documented Loss Payment (Up to $5,000)

If you experienced actual financial losses because of the breach, you can recover up to $5,000 with proper documentation.

Covered losses include:

• Credit monitoring or identity theft protection costs
• Bank fees from fraudulent transactions
• Communication costs (phone, mail, internet) dealing with the breach
• Travel expenses related to resolving identity theft
• Professional fees (accountants, attorneys)
• Lost time dealing with breach consequences (up to 10 hours at $25/hour)
• Any other documented expenses fairly traceable to the breach

Documentation required: Receipts, invoices, bank statements, credit card statements, or other third-party proof of expenses. Self-prepared documents alone won’t work.

Option 2: Pro Rata Cash Payment (Amount TBD)

If you didn’t experience documented losses, you can still receive a cash payment from the remaining settlement fund.

The amount varies based on how many people file claims. Based on similar settlements like the $2.5M Panera data breach case, expect somewhere between $20-$100 per person.

Bonus: Two Years of Free Credit Monitoring (Everyone)

All class members—regardless of which payment option you choose—are eligible for two years of CyEx Medical Shield Complete services:

• One-bureau credit monitoring
• $1 million identity theft insurance
• Dark web monitoring
• Real-time fraud alerts

This is in addition to your cash payment, not instead of it.

How to File Your Claim Before the March 6, 2026 Deadline

CLAIM DEADLINE: March 6, 2026

File online: Visit AlabamaCardioDataSettlement.com and complete the claim form

File by mail:
ACG Data Incident Settlement
c/o Settlement Administrator
P.O. Box 5229
Baton Rouge, LA 70821

Get help: Call 1-855-359-2114 or email [email protected]

What you’ll need:

• Your Settlement Claim ID (found on your postcard notice)
• Contact information
• Attestation that you received a breach notice
• Documentation of losses (if claiming reimbursement)

If you lost your postcard notice, email the settlement administrator with your name and last known address to confirm eligibility.

Important Dates You Need to Know

February 4, 2026: Deadline to opt out or object to the settlement

March 6, 2026: Final claim filing deadline

March 20, 2026: Final fairness hearing at 11:00 a.m. Central Time

After final approval: Settlement administrator reviews claims and calculates payments (typically 60-180 days)

Miss these deadlines and you forfeit your right to compensation—even if you were directly affected.

Your Options: Claim, Opt Out, Object, or Do Nothing

File a claim: Get your share of the settlement. You give up the right to sue Alabama Cardiovascular Group separately for this breach.

Opt out (by Feb. 4, 2026): Keep your right to sue independently but receive no settlement money. Only makes sense if you have extraordinary individual damages exceeding $5,000.

Object (by Feb. 4, 2026): Tell the court why you think the settlement is unfair. You’ll still be bound by the settlement but can voice concerns.

Do nothing: Get no money AND give up your right to sue. Worst option.

Similar to the $50M 23andMe settlement where most people chose to file claims rather than opt out, your best move is filing before the March 6 deadline.

Why This Settlement Matters for Healthcare Data Security

Healthcare remains the most targeted industry for cyberattacks, with breaches costing an average of $10.93 million per incident—more than any other sector.

Key takeaways:

Delayed discovery creates bigger damages. The 26-day breach window allowed extensive data theft before detection.

Inadequate security has consequences. The $2.23 million settlement demonstrates financial accountability for security failures.

Patient data is valuable on the black market. Medical records sell for up to $1,000 each on the dark web—far more than credit card data.

Healthcare providers face increasing scrutiny. Beyond civil settlements, the U.S. Department of Health and Human Services may impose separate HIPAA penalties.

Recent similar cases include the $14M Independent Living Systems settlement affecting 4.2 million patients and the $177M AT&T data breach settlement for 73 million customers.

FAQs

Do I need receipts to claim?

Only if you’re claiming documented losses up to $5,000. For the pro-rata cash payment and credit monitoring, no documentation is required.

What if I moved since the breach?

You’re still eligible if you received a breach notification. Update your address with the settlement administrator.

Can I claim for family members?

Only if they’re separate class members who received their own breach notification.

What happens if I don’t file a claim?

You get nothing and give up your right to sue separately.

Is the settlement taxable?

Potentially. Consult a tax professional, but settlement payments are generally considered taxable income.

The Bottom Line

If Alabama Cardiovascular Group notified you about the July 2024 data breach, you have until March 6, 2026 to claim up to $5,000 in documented losses or a cash payment from the $2.23 million settlement fund.

Don’t wait. File your claim today at AlabamaCardioDataSettlement.com or call 1-855-359-2114.

Healthcare data breaches aren’t going away. The average breach exposes records for 277 days before detection. This settlement represents one of your few opportunities to recover compensation for a violation of your medical privacy.

File now. The March 6 deadline won’t be extended.

Disclaimer: This article provides general information about the Alabama Cardiovascular Group data breach settlement. It does not constitute legal advice. For questions about your specific situation, visit AlabamaCardioDataSettlement.com or consult with an attorney.

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah