The internal computer network of ZOLL Medical Corporation, a Chelmsford, Massachusetts-based company that manufactures wearable defibrillators, cardiac monitoring equipment, and the LifeVest, a device worn by patients at high risk of sudden cardiac arrest while they wait to be determined whether they require a permanent implanted defibrillator, was compromised by an unauthorized third party in late January 2023. ZOLL discovered the breach on January 28 after it had existed for two days, between January 22 and 23.
The business then failed to notify the more than one million individuals whose names, addresses, dates of birth, and Social Security numbers had been compromised until March 10, 2023, more than a month after learning of the incident, according to the class action lawsuits that were later filed. By then, the information had already been made public, and the notices that were being delivered to people’s mailboxes were coming a long time after the event.
Smith et al. v. ZOLL Medical Corporation, a lawsuit that was consolidated in federal court in Massachusetts, claimed that ZOLL had neglected to sufficiently safeguard its network in spite of a prior data breach that occurred in 2019 when a routine server migration exposed the personal and medical information of 277,319 patients. The complaint claimed that the corporation had a specific purpose to invest in its cybersecurity infrastructure because of that previous event.
The 2023 hack was characterized as a “second, larger” failure that showed “reckless disregard” for the security of its clients and staff. This framing is more persuasive from a legal standpoint when you can provide proof of prior notice that the issue existed. Like the defendants in earlier lawsuits, ZOLL denied any misconduct, and the 2026 settlement is expressly not an acknowledgment of responsibility.
Members of the class who want compensation now have two options thanks to the $3.5 million settlement. The first is reimbursement for documented out-of-pocket losses directly related to the breach, such as bank fees, the cost of identity monitoring subscriptions or credit freezes purchased in response to the notification, communication costs, and time spent handling the fallout (the settlement values that time at $25 per hour for up to 10 hours, giving a maximum time-value claim of $250). The $5,000 per person total out-of-pocket claim cap is sufficient to cover the majority of real-world costs, but accessing it requires documentation.
A significant distinction is built into the second track, which is a pro rata cash payment that all class members receive without having to prove specific losses. Class members whose Social Security numbers were specifically compromised, known as the SSN Subclass, receive a two-times pro rata payment, which reflects the longer-duration identity theft risk associated with SSN exposure compared to the exposure of other personal information alone.
ZOLL’s predicament seems more like a typical case study than an anomaly when considering the larger panorama of healthcare data breach settlements that have gathered over the past few years. Heart clinics, hospital networks, insurance administrators, and device manufacturers are just a few examples of the wave of similar cases that have the same basic architecture: sensitive health data, insufficient security, delayed notification, and a settlement fund that only covers a small portion of the potential harm while the business denies wrongdoing and moves on.
The compound failure component is what slightly sets the ZOLL case apart; the 2019 breach provided the organization with particular previous knowledge of its vulnerabilities, and the 2023 occurrence implies that knowledge was not turned into effective remedy.
The deadline for filing a claim is September 2, 2026. Requests to opt out must be postmarked by August 3. HeartDeviceDataSettlement.com is the official website. The window is open but closing if ZOLL notified you of a data breach in 2023 and you haven’t filed yet.
The amount of time you spent handling the aftermath of the breach will determine whether the reimbursement is worth the effort of obtaining documentation. Even in the absence of specific verified damages, the basis for filing is greater for those whose Social Security numbers were among the leaked data.
Disclaimer
Nothing published on Creative Learning Guild — including news articles, legal news, lawsuit summaries, settlement guides, legal analysis, financial commentary, expert opinion, educational content, or any other material — constitutes legal advice, financial advice, investment advice, or professional counsel of any kind. All content on this website is provided strictly for informational, educational, and news reporting purposes only. Consult your legal or financial advisor before taking any step.
