Someone at Charleston Area Medical Center clicked on the phishing email when it arrived in October 2024. These stories nearly always start like that. nor with a movie-style hacker in a dark room, nor with a skilled nation-state actor breaching a firewall, but rather with a weary employee scanning their inbox in between patient rounds and clicking on a link that appeared, for a split second, to be sufficiently authentic.
Attackers had been inside the email system long enough to sift through messages carrying the kind of material that should be protected by multiple layers of encryption by the time CAMC noticed what had happened. names. Social Security numbers. medical backgrounds. The substance that never really comes back after it leaks. The hospital, which has its headquarters in a city of only 47,000 inhabitants, unexpectedly found itself at the heart of a class action lawsuit that would ultimately result in a proposed $1 million compensation after the data of over 67,000 people was compromised.
| CAMC Data Breach Settlement — Key Information | Details |
|---|---|
| Organization Involved | Charleston Area Medical Center (CAMC) |
| Headquarters | Charleston, West Virginia |
| Type of Institution | Non-profit regional health system |
| Incident Type | Phishing attack on employee email accounts |
| Date of Breach | October 2024 |
| Public Disclosure | Early 2025 |
| Individuals Affected | Over 67,000 patients |
| Data Exposed | Names, Social Security numbers, health information |
| Proposed Settlement Amount | $1 million |
| Legal Status | Class action settlement pending court approval |
| Settlement Hotline | 1-877-732-0029 |
| Unrelated Past Settlement | $23.1 million (2021, closed case) |
| Regulatory Oversight | U.S. Department of Health and Human Services |
That figure could seem tiny. The math becomes awkward when you divide it by 67,000. However, settlement amounts in healthcare data breach lawsuits typically look like that—a sum intended to put an end to a chapter rather than to make anyone whole. Attorneys will receive a portion. Another portion will be consumed by administrative expenses. Patients who are impacted may receive a tiny portion of a residual fund or a modest payment for credit monitoring if they file claims accurately and on time. Observing these cases develop nationwide gives the impression that the settlement is more about closure than justice.
Charleston is not accustomed to this level of attention. Parking attendants know the cardiology nurses by name at the CAMC complex, which is situated along the Kanawha River and has buildings grouped on the South Side. There isn’t another hospital like it for a significant portion of West Virginia, so patients travel two hours to get there from remote counties. The regional weight is important. The effects of a breach of trust at a place like CAMC are more widespread than the headlines might indicate.
For claim information, the hospital has advised impacted parties to visit the settlement website or contact 1-877-732-0029. However, the deadlines and details are sometimes buried in legalese that most people won’t try to decipher. Patients who call the hotline are often confused by a different, much larger $23.1 million settlement from 2021 that occasionally appears in search results. The case has been closed. A different lawsuit, a different era, a different breach. However, the conflation illustrates how frequently the same institution experiences this.
Despite years of warnings, healthcare cybersecurity continues to lag behind. Hospitals use email systems that haven’t changed significantly since the early 2010s, overburdened IT staff, and obsolete software. Because the attackers only need to be correct once and the defenders must always be correct, phishing attacks are successful. Here, CAMC is not the only one. Over the past two years, Ascension, Change Healthcare, and other smaller systems have all suffered comparable setbacks.
As this develops, it’s difficult to avoid wondering if the $1 million settlement will genuinely improve CAMC’s security posture or if it’s just the price of doing business in a sector that has quietly accepted security breaches as the norm. Naturally, patients are still required to review their credit reports. I’m still waiting on the next letter.
