By Steve Levine
Cardiovascular Consultants Ltd., a cardiology practice based in Arizona, agreed to a $3.85 million class action settlement to resolve claims arising from a data breach it detected on September 29, 2023. According to the lawsuit, a threat actor gained unauthorized access to the practice's computer systems, exfiltrated files containing sensitive patient and employee information, and then deployed ransomware. Roughly 484,000 people were affected.
The information potentially exposed includes names, Social Security numbers, addresses, dates of birth, contact information, driver's license or state ID numbers, health insurance information, and medical information such as diagnosis and treatment details. CVC began mailing notice of the incident to affected individuals on December 2, 2023. The case is Stroup, et al. v. Cardiovascular Consultants Ltd., pending in the Superior Court of Arizona, Maricopa County. The court granted preliminary approval of the settlement on February 24, 2026. Cardiovascular Consultants denies any wrongdoing, and the settlement was not an admission of liability. Important: the July 1, 2026 claim deadline has passed, so this settlement is now closed and no new claims can be filed.
The Settlement Class included all United States residents whose personal information was potentially compromised in the Cardiovascular Consultants data breach detected on September 29, 2023. Class members were sent a notice by email or postcard containing a Class Member ID.
People who submitted a valid exclusion request by the June 1, 2026 opt-out deadline were not part of the settlement. The claim window has now closed, so retrieving a lost Class Member ID is no longer relevant — no new claims can be submitted.
The settlement offered three types of compensation, and claimants could combine more than one as long as the total did not exceed $5,000:
Actual cash amounts depend on how many valid claims were filed and the final costs of administration, attorneys' fees, and court-approved awards. Under the settlement's payment order, documented out-of-pocket losses are paid first, then medical monitoring, then pro rata cash — if valid documented-loss claims exceed the net fund, those reimbursements are reduced pro rata, monitoring can drop to one year, and no pro rata cash payments would be made. Documented losses had to be supported by third-party records such as credit card statements or bills; self-prepared receipts alone were not enough.
Important: the claim filing window has closed. This section is left for reference only. Claims could previously be filed online through the official settlement website or by mailing a paper claim form to the settlement administrator, Kroll Settlement Administration. Filing online required the Class Member ID printed on the email or postcard notice sent to class members — that requirement is now moot since filing is closed.
The filing deadline was July 1, 2026 — online claims had to be submitted by 11:59 p.m. Mountain Time, and mailed claims postmarked, by that date. Claims submitted after the deadline will not be paid.
Payments will only be issued after the court grants final approval and any appeals are resolved, so expect checks or electronic payments to go out sometime after the August 18, 2026 hearing.
The only authorized website for this settlement was CVCDataSettlement.com. Since the claim window has closed, be especially wary of any message asking you to "file" or "verify" a Cardiovascular Consultants claim now — that is not a legitimate request. No legitimate administrator will ask you to pay a fee, share your full bank login, or "verify" your identity through an unsolicited phone call or text.
This breach was one of a wave of healthcare data incidents producing settlements. You can browse currently open cases on our data breach settlements tracker, including the similar South Texas Oncology and Hematology data breach settlement, which also required a Class Member ID and closed July 6, 2026.
You were a Settlement Class Member if you are a U.S. resident whose personal information was potentially compromised in the Cardiovascular Consultants Ltd. data breach detected on September 29, 2023. Class members were sent a notice by email or postcard containing a Class Member ID.
Class members could claim a pro rata cash payment (estimated at about $75), reimbursement of up to $5,000 for documented out-of-pocket losses fairly traceable to the breach, and two years of medical monitoring, with a combined cap of $5,000 per claimant. The July 1, 2026 claim deadline has passed and the settlement is now closed to new claims.
The claim deadline was July 1, 2026. That deadline has passed, and the settlement is now closed — no new claims can be filed. The exclusion (opt-out) deadline was June 1, 2026, and the final approval hearing is set for August 18, 2026.
Filing online required the Class Member ID printed on the email or postcard notice sent by the settlement administrator. The pro rata cash payment and medical monitoring did not require receipts, but reimbursement claims of up to $5,000 had to be supported by documentation. This is now moot — the July 1, 2026 claim deadline has passed and filing is closed.
Cardiovascular Consultants Ltd., an Arizona cardiology practice, detected unauthorized access to its computer systems on September 29, 2023. A threat actor exfiltrated files containing names, Social Security numbers, addresses, dates of birth, contact information, driver's license or state ID numbers, health insurance information, and medical information before deploying ransomware. About 484,000 people were affected.
Status: Open
Pre-Qualify
Pre-Qualify Here
Submit Claim
Pro Rata Cash · No Proof for Up to 5 Modules
Submit Claim
Deadline: August 27, 2026
Submit Claim
Deadline: June 30, 2026
Submit Claim
Est. $40–$200 Cash · No Proof Required
Submit Claim