Jurimatic by Exlitem

Rodriguez v. City of Hope: $8.5M Data Breach Settlement

7 min read
Back to Home
in
Privacy
Cybersecurity
7 min read

Rodriguez v. City of Hope: $8.5M Data Breach Settlement

S
Sohini Chakraborty
December 26, 2025
Rodriguez v. City of Hope: $8.5M Data Breach Settlement

Table of Contents

Case Background

This civil litigation originated in the Superior Court of Los Angeles County, where Plaintiff Carli Rodriguez filed a class action lawsuit against the City of Hope. The central legal dispute revolved around a significant data security incident that occurred between September and October 2023, in which cybercriminals infiltrated the medical center's network. The Plaintiff sought to hold the organization accountable for its alleged failure to safeguard the sensitive personal and health information of over 800,000 individuals and for waiting nearly six months to notify the victims of the breach.

Cause

The legal conflict stemmed from a significant cybersecurity incident that targeted the City of Hope, a prominent medical treatment and research organization. Between September 19, 2023, and October 12, 2023, unauthorized third parties infiltrated the medical center's computer systems. The lawsuit alleged that cybercriminals had accessed and copied sensitive files containing the personal and medical information of numerous patients and employees. Although the City of Hope discovered the suspicious activity on October 13, 2023, the organization did not begin notifying affected individuals until April 2, 2024, nearly six months later. Carli Rodriguez, the representative Plaintiff, initiated the class action, asserting that the organization had failed to implement adequate security measures to prevent such an intrusion.

Injury

The breach exposed highly sensitive data belonging to Rodriguez and approximately 800,000 other individuals. The compromised information included names, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, and financial details such as bank account and credit card information. Furthermore, the hackers accessed private medical records, health insurance information, and medical history. Rodriguez claimed that this exposure caused her and the class members to suffer from a loss of privacy and a diminution in the value of their personal data. She also reported an increase in spam emails and significant anxiety regarding the potential for identity theft. The victims were forced to spend valuable time verifying the breach's impact, exploring credit monitoring options, and mitigating the risk of future fraud.

Damages Sought

The Plaintiff sought a variety of financial and equitable remedies to address the harm caused by the data breach. Rodriguez requested actual damages to compensate for the theft of personal information and the time lost dealing with the aftermath. She also pursued statutory damages under the Confidentiality of Medical Information Act and punitive damages to punish the Defendant for its alleged recklessness. Beyond monetary compensation, the lawsuit demanded restitution for any unjust enrichment the Defendant had gained by failing to spend appropriate funds on data security. Additionally, the Plaintiff sought injunctive relief, asking the Court to order the City of Hope to implement a comprehensive information security program, engage third-party auditors, and encrypt all collected data to prevent future occurrences.

Key Arguments and Proceedings

Legal Representation

Plaintiff(s): Carli Rodriguez, individually and on behalf of all others similarly situated

  • Counsel for Plaintiff(s): Daniel Srourian | Jason Wucetich | Dimitros V. Korovilas | Jeff S. Westerman | Samuel M. Ward | Andrew Gunem | Raina C. Borrelli | Berry Michael Anderson | Stephen R. Basser

Defendant(s): City of Hope, a California Corporation, and Does 1 through 100

  • Counsel for Defendant(s): Jeffrey A. Levee | Vogt John Alexander

Key Arguments or Remarks by Counsel

Claims

The legal team for Carli Rodriguez constructed a multi-faceted argument centered on the assertion that the City of Hope had neglected its fundamental duty to protect patient data. They presented seven specific causes of action to support their demand for accountability.

Negligence and Duty of Care Counsel argued that the City of Hope owed a duty of care to its patients and employees to safeguard their personal and medical information using commercially reasonable methods. They contended that the Defendant knew, or should have known, that its data systems were vulnerable to attack, especially given the prevalence of high-profile cyberattacks in the healthcare industry. The Plaintiff asserted that the organization had breached this duty by failing to maintain adequate computer systems, failing to encrypt data properly, and failing to detect the breach quickly.

Breach of Contract The lawsuit alleged that an implied contract existed between the patients and the medical center. By requiring patients to provide sensitive information as a condition of receiving care, the City of Hope had implicitly agreed to keep that information secure. The Plaintiff’s attorneys argued that the organization breached this contract when it failed to protect the data and subsequently failed to provide timely notice of the breach. For employees, the complaint asserted a similar breach of express contract related to their employment agreements.

Privacy Violations A significant portion of the argument focused on the violation of privacy rights. The legal team claimed that the City of Hope violated the Confidentiality of Medical Information Act (CMIA) by allowing unauthorized persons to view medical information without consent. They further argued that the Defendant had intruded upon the seclusion of the class members by maintaining a system so vulnerable that it effectively invited public exposure of private lives. This exposure was described as highly offensive to a reasonable person and a violation of social norms.

Unfair Business Practices Counsel contended that the Defendant’s failure to implement robust security measures constituted an unfair business practice under California law. They argued that by not spending the necessary funds on data security, the City of Hope gained an unfair competitive advantage over other institutions that did comply with the law. The Plaintiff claimed that the organization deceived consumers by concealing the inadequacies of its security systems.

Defense

While the specific defense filing was not included in the review, the context of such litigation typically involves a vigorous denial of liability. In similar proceedings, Defendants often argue that they implemented reasonable security measures and that the criminal acts of sophisticated cyber-hackers were the sole cause of the breach. The City of Hope likely contended that it had no intention of allowing the data theft and that it acted diligently once the breach was discovered. The notice letter sent to patients indicated that upon discovery, the organization immediately instituted mitigation measures, enlisted a leading cybersecurity firm, and reported the incident to law enforcement. They would have likely argued that these actions demonstrated a responsible reaction to a criminal event rather than negligence.

Settlement

Resolution of the Dispute The litigation between Carli Rodriguez and the City of Hope did not proceed to a final jury verdict in a Courtroom. Instead, the parties engaged in negotiations to resolve the complex issues regarding the data breach, the delayed notification, and the subsequent privacy concerns. These discussions ultimately led to a mutual agreement to settle the class action lawsuit, avoiding the uncertainty and expense of a prolonged trial.

Settlement Terms The City of Hope agreed to pay a total settlement amount of $8,500,000 to resolve the claims brought by Rodriguez and the class of affected individuals. This substantial fund served to compensate the approximately 800,000 people whose personal and medical information had been compromised during the 2023 cyberattack. The settlement addressed the various damages alleged in the complaint, including the time victims spent securing their identities and the anxiety caused by the loss of privacy.

Impact of the Resolution By agreeing to this settlement, the Defendant effectively closed the case without admitting to the specific allegations of negligence or intentional misconduct. For the Plaintiff and the class members, the resolution provided immediate financial recourse and validated their concerns regarding the safety of their sensitive health data. The outcome underscored the significant financial responsibilities that healthcare organizations face regarding cybersecurity and the protection of patient information. The lawsuit highlighted the critical need for prompt notification and robust defense systems in an era of increasing digital threats.

Court documents are available upon request at jurimatic@exlitem.com

Categories

Privacy
Cybersecurity

Tags

Consumer Protection
Data Breach
Medical Identity Theft

About the Author

SC
Sohini Chakraborty
Editor
Sohini Chakraborty is a law graduate, with over two years of experience in legal research and analysis. She specializes in working closely with expert witnesses, offering critical support in preparing legal research and detailed case studies. She delivers well-structured legal summaries.