Cardiovascular Consultants Ltd., a New Jersey cardiology practice, has agreed to settle a class action lawsuit for $3.85 million following a 2023 data breach that exposed sensitive patient information for approximately 500,000 individuals. The settlement, stemming from the case Stroup, et al. v.
Cardiovascular Consultants Ltd., provides affected patients with multiple forms of compensation, including direct cash payments and identity protection services. Although the company denies wrongdoing, the settlement was negotiated to resolve claims that the September 2023 breach—which compromised names, Social Security numbers, dates of birth, driver’s license information, and detailed medical records—exposed victims to identity theft, fraud, and other harms. We’ll also explain the distinction between documented losses and pro rata payments, walk through the claims process, and address common concerns about credit monitoring and long-term protection.
Table of Contents
- What Is the Settlement Amount and How Much Will Each Victim Receive?
- What Data Was Compromised in the Breach?
- Who Is Affected and How Many People Were Impacted?
- How Do You File a Claim and What Are the Deadlines?
- What Identity Protection Services Are Included in the Settlement?
- Does the Settlement Address Future Security Improvements at Cardiovascular Consultants?
- What This Settlement Means for Healthcare Data Breach Litigation
What Is the Settlement Amount and How Much Will Each Victim Receive?
The $3.85 million settlement provides two pathways for compensation. If you suffered documented, unreimbursed losses directly related to the breach—such as fraudulent charges, credit repair costs, or expenses tied to identity theft—you can claim up to $5,000 per documented loss. This route requires proof: receipts, billing statements, credit reports, or other evidence showing the specific harm and its cost. The alternative is a pro rata cash payment, estimated at approximately $100 per class member, available to all eligible patients who file a valid claim regardless of whether they can document individual losses.
The pro rata approach ensures everyone receives something without requiring extensive documentation, though the per-person payout is modest. The difference between these two options matters significantly. A patient who discovered fraudulent credit card charges or paid for credit monitoring can file for actual losses and potentially receive far more than $100. However, most class members will likely receive the pro rata payment unless they have clear documentation of breach-related harm. Kroll Settlement Administration LLC is managing the claims process and adjudicating compensation requests.
What Data Was Compromised in the Breach?
The September 29, 2023 breach exposed a comprehensive set of sensitive personal and medical information for each affected individual. Stolen data included names, mailing addresses, dates of birth, social Security numbers, driver’s license or state ID numbers, insurance policy information, medical diagnoses, treatment details, and complete billing records. This is the type of data criminals actively seek: combined with financial identifiers like Social Security numbers, it enables full-spectrum identity theft, fraudulent credit applications, and medical fraud. However, there is an important limitation to understand: the scope and severity of the breach varies by individual.
Not every person whose data was exposed has necessarily experienced fraud or identity theft. The settlement recognizes this by offering two tiers of compensation—documented losses for those harmed, and a baseline pro rata payment for everyone. If you received notification of the breach but have seen no fraudulent activity, unauthorized credit accounts, or other signs of misuse, you should still file a claim to secure the pro rata payment and the complimentary credit monitoring. The presence of your data in the breach means risk exists, even if current harm is not yet apparent.
Who Is Affected and How Many People Were Impacted?
Approximately 500,000 patients, guarantors, and staff members were affected by the Cardiovascular Consultants breach. This figure encompasses not just patients seen at the cardiology practice but also family members listed as guarantors on patient accounts and employees. The broad reach reflects the reality of modern healthcare data—a single breach at a medical practice exposes everyone whose information passed through that organization’s systems.
Because the affected population is so large, even a $3.85 million settlement results in modest per-person compensation. This illustrates a key tension in class action settlements: aggregate dollars can seem substantial but spread thin across hundreds of thousands of people. A patient with five documented $300 losses from fraudulent activity would exceed the pro rata payment significantly, but someone with no documented losses receives the estimated $100. The settlement structure acknowledges both scenarios.
How Do You File a Claim and What Are the Deadlines?
To receive compensation from this settlement, you must submit a claim by the deadline of March 6, 2026. This date is approaching quickly, so if you have not already filed, you should act immediately. Claims are filed with Kroll Settlement Administration LLC through the settlement website, and the process typically requires basic information: verification that you were a patient of Cardiovascular Consultants Ltd. or an affected individual, and either documentation of losses (if seeking the higher claim) or confirmation of your eligibility (for the pro rata payment).
The comparison between filing effort and potential recovery is worth considering. If you document losses, expect to gather receipts, credit reports, medical bills, or other supporting documents—effort that might take several hours but could yield $1,000 to $5,000. If you take the pro rata route, you simply verify your information and receive approximately $100. For many people, the pro rata path makes sense, but those with documented fraud or monitoring costs should invest the time in a higher claim. The Final Approval Hearing is scheduled for August 18, 2026, after which distributions to approved claimants should begin.
What Identity Protection Services Are Included in the Settlement?
All class members receive two years of complimentary credit monitoring and identity theft protection services through the settlement. These services typically include credit report monitoring, identity theft alerts, and in some cases, restoration assistance if fraud is detected. For patients concerned about the long-term risk of their stolen Social Security numbers and medical information being misused, this benefit extends your safety window. However, there is an important caveat: credit monitoring and identity theft protection are not foolproof prevention.
These services monitor activity and alert you to suspicious changes, but they cannot prevent a criminal from using your data if they choose to. Additionally, the two-year window has limits. After the complimentary period ends, you would need to enroll in paid monitoring or rely on your own vigilance. Given that your Social Security number and complete medical records are now in circulation, vigilance beyond the two-year window remains prudent—checking your credit reports annually through free sources like AnnualCreditReport.com and monitoring medical statements for unauthorized treatment claims.
Does the Settlement Address Future Security Improvements at Cardiovascular Consultants?
The settlement does not publicly mandate specific cybersecurity upgrades or organizational changes at Cardiovascular Consultants Ltd. The company agreed to settle but denies wrongdoing, which is a common outcome in healthcare data breach settlements.
This means the settlement compensates victims but does not include enforceable requirements for the defendant to implement enhanced security measures, audits, or governance changes. From a victim’s perspective, this is a limitation—your recovery is financial, but the underlying system vulnerabilities that enabled the breach may not be formally addressed.
What This Settlement Means for Healthcare Data Breach Litigation
The Cardiovascular Consultants settlement is one of several healthcare data breach settlements reaching resolution in 2026. It reflects a consistent pattern in healthcare litigation: large patient populations, exposed records containing Social Security numbers and medical details, and settlements in the low-to-mid millions range.
The settlement amount—while significant—translates to roughly $7.70 per affected individual before legal fees and administrative costs, underscoring the challenge plaintiffs face in pursuing healthcare data breach cases. Yet these settlements serve an important function: they acknowledge harm, provide compensation to victims, and incentivize healthcare organizations to invest in data protection, even if not formally mandated.
You Might Also Like
- Essen Medical Associates Data Breach Settlement Reaches $4 Million
- Settlement Approved for Canadians Affected by 23andMe Data Breach
- LastPass $24.45M Data Breach Settlement Opens Claim Submissions
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: