CareBill Solutions processed billing for 42 clinics. In January 2025, an employee clicked a phishing link that gave attackers mailbox access for 18 days. The compromised mailbox contained patient names, dates of birth, insurance IDs, treatment codes, and partial bank information for payment plans. CareBill notified 96,000 patients and offered 12 months of credit monitoring. Plaintiffs allege negligence, breach of implied contract, and state consumer-protection violations. CareBill argues it had reasonable safeguards, no full Social Security numbers were exposed, and plaintiffs cannot prove identity-theft causation.
Incident response timeline
Security logs show the phishing login occurred January 4. Unusual forwarding rules were detected January 10 but disabled January 22. CareBill says investigation required time; plaintiffs say the 12-day delay expanded exposure. Trial use: Shows detection and containment timing, while the 12-day delay supports negligence and expanded-exposure arguments. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Technical Interpretation FRE 702.
SOC 2 report and security policy
CareBill 2024 SOC 2 report noted multifactor authentication was "planned for privileged users" but not fully deployed for billing staff. Policies required annual phishing training; completion records show 71% compliance. Trial use: Tests security standard of care through MFA and training records, while the defense can argue controls were typical for a vendor of this size. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Completeness FRE 106.
Breach notification letters
Letters told patients that names, dates of birth, insurance information, treatment codes, and partial payment details may have been accessed. CareBill did not state that full Social Security numbers were compromised. Trial use: Defines what patient data may have been exposed, but omission of full Social Security numbers limits identity-theft causation. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Relevance Dispute FRE 401.
Plaintiff identity-theft records
Named plaintiff Aaron Patel reports two fraudulent credit-card applications and 14 hours spent freezing accounts. CareBill notes the applications used his full Social Security number, which CareBill says it did not store. Trial use: Supports concrete harm and time-loss damages, while fraudulent applications using data CareBill says it lacked weaken causation. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Causation Dispute; Hearsay Risk FRE 803.
Cybersecurity expert report
Plaintiffs expert says lack of MFA and incomplete phishing training fell below healthcare vendor standards. Defense expert says the vendor controls were typical for its size and the criminal phish was sophisticated. Trial use: Frames expert negligence opinions on MFA and phishing controls, leaving reliability and industry-standard comparisons for Daubert-style attack. Foundation: The sponsoring expert should explain qualifications, source data, method, assumptions, and whether the opinion reliably fits the disputed issue. Cross-examination focus: Expert Qualification FRE 702.
Aaron Patel (named plaintiff)
Patient whose billing data was in the compromised mailbox
After the notice, I had fraudulent credit applications and spent hours freezing accounts. CareBill had my medical billing data and should have protected it. They waited too long to stop the mailbox forwarding.
Megan Ross (CareBill security director)
Director of information security at CareBill Solutions
We had email filtering, endpoint monitoring, and annual training. Once we confirmed malicious access, we contained it and notified patients. The exposed data did not include full Social Security numbers or full bank account numbers.
Dr. Omar Castillo (plaintiff cybersecurity expert)
Former hospital-system CISO and healthcare security consultant
For a healthcare billing vendor, MFA on mailboxes and complete phishing training are baseline controls. The delay in disabling forwarding rules increased the volume and duration of data exposure.
Healthcare Vendor Data Breach Negligence — Federal
Choose a role to start
