Welcome to the settlement information website for R.O., et al. v. Rady Children’s Hospital-San Diego, Lead Case No. 37-2020-00011841-CU-BT-CTL (consolidated with Orozco, et al. v. Rady Children’s Hospital-San Diego, Case No. 37-2020-00023102-CU-NP-CTL. On December 10, 2021, the San Diego Superior Court granted preliminary approval of this settlement, which includes all patients (or their parents or guardians) of Defendant Rady Children’s Hospital – San Diego (“Rady” or “Defendant”) who were admitted as radiology patients or received radiology-related treatment or services at one of Defendant Rady’s hospital, satellite or urgent care locations on or before January 3, 2020 and were mailed a letter sent by Rady entitled “Notice of Data Security Incident,” dated February 21, 2020. This website has been established to provide general information.

Background of the Litigation

On or after February 20, 2020, Rady mailed to you and to the other Class Members (identifiable to Rady at that time) a letter with the caption “Notice of Data Security Incident,” stating, in part, “we need to let you know about a data security incident involving patient health information.”  In the letter, Rady stated, “We learned that, between the dates of June 20, 2019 and January 3, 2020, some information for a limited number of patients was accessed without authorization via an Internet port.”

Rady’s February 2020 letter stated the following concerning the patient data that was accessed via the Internet port: “the patient information included patient name, gender, and type and date of imaging studies.  In some instances, the patient information also included one or more of the following types of information: date of birth, medical record number, description of the imaging study, and the referring physician’s name.” In a contemporaneous February 21, 2020 press release posted to Rady’s website, Rady stated that it first “learned of a data security incident” on January 3, 2020, and thereafter launched an investigation.  According to the February 21 press release, Rady’s initial investigation determined that between the dates of June 20, 2019 and January 3, 2020, information for a limited number of patients was accessed without authorization via an Internet port. The press release indicated that patient information involved in the Breach included “patient name, gender, and type and date of imaging studies,” and that “[i]n some instances,” the information included one or more of “date of birth, medical record number, parent/guardian name, description of imaging study and name of referring physician.”

During discovery in the Action, Rady has provided information to support its determination that the patient data accessed via the Internet port resided primarily on two different network servers.  As to one server, known as HCIPAPV1 (“Server 1”), Rady determined that information of 590 patients (i.e. potential Class Members) was subject to access by an unauthorized user.  These patients comprise the list of potential Sub-Class 1 members. As to the second server, known as HCIPAPV2 (“Server 2”), Rady contends that it determined that information of as many as 32 of the 1,770 patients (i.e. potential Class Members) with data residing on Server 2 (and not on Server 1) may have had their information accessed by an unauthorized user.  As part of the Settlement Agreement, all 1,770 patients whose data was stored on Server 2 comprise the list of potential Sub-Class 2 members.

Plaintiffs allege that Rady’s failure to adequately protect the confidentiality of all Class Member’s personal and confidential medical information and prevent disclosure or access by unauthorized third parties was a violation of the Confidentiality of Medical Information ACT (“CMIA”), as well as other laws.

The Settlement

The Court has not decided whether Rady did anything wrong in violation of the CMIA or other applicable law. Instead, the Parties have reached an agreement to the Settlement, which is subject to final approval by the Court. The Final Approval Hearing will be held on May 6, 2022 at 1:30 p.m., in Department C-69, at the Superior Court of California for the County of San Diego before the Honorable Katherine Bacal.

Important Dates

  • Objection Deadline: February 14, 2022
  • Opt-Out Deadline: February 14, 2022
  • Claim Form Deadline: March 30, 2022
  • Final Approval Hearing: May 6, 2022

Additional Information

If you have any questions, you may contact the administrator toll-free at (888) 250-6810.


ILYM GROUP, Inc. www.ilymgroup.com | P.O. Box 2031, Tustin, CA 92781

This website is maintained by ILYM Group, Inc, the Claims Administrator for this settlement. We are a neutral third party engaged to provide information to class members.