Tracy v. Elekta Settlement: What the $8.9 Million Data Breach Case Means for You

The Tracy v. Elekta settlement is a $8,900,000 class action resolution stemming from a 2021 ransomware attack that exposed the sensitive medical and personal data of approximately 497,000 patients. If you received a notice letter about the Elekta and Northwestern Memorial Healthcare data breach, you may be entitled to compensation. The court granted final approval of the settlement on January 9, 2025, and payments to approved claimants began on April 8, 2025.

What Is the Tracy v. Elekta Settlement?

Tracy v. Elekta, Inc., et al. (Case No. 1:21-cv-02851) is a class action lawsuit filed in the United States District Court for the Northern District of Georgia. The case arose from a cyberattack on Elekta, Inc. — a healthcare technology company — that occurred between April 2 and April 20, 2021. Unauthorized individuals accessed Elekta's cloud-based radiology software and deployed ransomware in an attempt to encrypt files stored on the company's network.

One of the most significantly affected customers was Northwestern Memorial Healthcare (NMH), a major Illinois hospital system. NMH reported that the personal and medical data of up to 201,197 oncology patients may have been exposed during the breach. The consolidated lawsuit named Carla Tracy, Darryl Bowsky, and Deborah Harrington as lead plaintiffs representing the broader class of affected individuals.

Elekta, Inc. and Northwestern Memorial Healthcare deny any wrongdoing and deny liability, but both defendants agreed to a classwide settlement to avoid the costs and risks of continued litigation. The $8.9 million settlement fund covers all eligible class members who received a notice of the data security incident.

What Data Was Compromised in the Elekta Breach?

The Elekta data breach exposed a wide range of highly sensitive information. According to court filings, the categories of compromised data included:

1. Full legal names and dates of birth
2. Social Security numbers
3. Home addresses
4. Medical record numbers and medical histories
5. Dates of service and treatment plans
6. Physician names and diagnosis information
7. Prescription information
8. Health insurance details
9. Genetic information (for patients of Illinois-based Elekta customers)

The exposure of genetic information was particularly significant. Under the Illinois Genetic Information Privacy Act (GIPA), individuals who shared genetic data with NMH or another Illinois-based Elekta customer have a separate legal basis for compensation — and are members of a distinct GIPA subclass within the settlement.

What Claims Were Filed Against Elekta and NMH?

The plaintiffs asserted multiple legal theories in the consolidated complaint, including negligence, negligence per se, intrusion upon seclusion and invasion of privacy, breach of implied contract (against NMH), breach of contract (against Elekta), and violation of the Illinois Genetic Information Privacy Act (GIPA). These claims alleged that both Elekta and NMH failed to implement adequate cybersecurity measures to protect the sensitive information entrusted to them by patients.

Federal and state data protection law imposes obligations on healthcare technology vendors and covered entities to safeguard patient information. The lawsuit argued that Elekta's failure to prevent unauthorized access — and NMH's failure to ensure its vendor maintained adequate security — constituted actionable harm to nearly half a million individuals.

Who Is Eligible to Participate in the Settlement?

To qualify as a member of the settlement class, an individual must meet the following criteria:

1. Their sensitive personal information was stored on Elekta's network and potentially accessed during the April 2021 data breach
2. They received an official notice letter informing them of the data security incident
3. They reside in the United States

The settlement class encompasses approximately 497,000 individuals, according to the official settlement website. A distinct GIPA subclass exists for Illinois residents who shared genetic information with NMH or another Elekta customer located in Illinois prior to the data breach.

What Compensation Is Available Under the Tracy v. Elekta Settlement?

The $8.9 million settlement fund provides three forms of compensation. Class members must choose which type of cash payment they wish to claim — they are not eligible to receive more than one cash payment category.

Out-of-Pocket Loss Claims

Class members who incurred unreimbursed financial losses as a direct result of the breach may submit claims for up to $5,000. Compensable out-of-pocket losses include unreimbursed bank fees, costs for credit monitoring or credit reports, expenses related to fraud prevention, and other documented financial harm. Supporting documentation — such as bank statements, receipts, or tax records — is required.

GIPA Cash Payment

Illinois residents who provided genetic information to NMH or an Elekta customer located in Illinois qualify for a separate pro rata cash payment under the Illinois Genetic Information Privacy Act (GIPA), 410 ILCS 513. This payment is capped at $1,000 per claimant and is funded by 50% of the net settlement fund remaining after deductions for attorneys' fees, litigation expenses, administrative costs, and out-of-pocket reimbursements.

Pro Rata Cash Payment

Class members who do not qualify for — or do not select — the GIPA payment option may receive a pro rata cash payment from the remaining 50% of the net settlement fund. This payment is also capped at $1,000 and will vary based on the total number of valid claims submitted.

Current Status: Settlement Approved and Payments Distributing

The U.S. District Court for the Northern District of Georgia granted final approval of the Tracy v. Elekta settlement on January 9, 2025. No objections or appeals were filed following final approval. Distribution of settlement payments to timely and valid claims began on April 8, 2025, according to the official settlement website.

If you submitted a valid claim before the December 26, 2024 deadline, you should receive or have already received your payment. If you are unsure about your claim status, you can contact the Settlement Administrator at the address or phone number provided below.

How to Contact the Elekta Settlement Administrator

If you have questions about your claim or payment status, you can reach the Settlement Administrator directly:

Elekta Data Settlement Administrator

P.O. Box 1429

Baton Rouge, LA 70821

Phone: 1-844-377-6369

Email: info@elektadatasettlement.com

Website: www.elektadatasettlement.com

What the Illinois Genetic Information Privacy Act (GIPA) Means for This Case

The Illinois Genetic Information Privacy Act (GIPA), codified at 410 ILCS 513, prohibits the unauthorized use, disclosure, or access of an individual's genetic information. GIPA provides a private right of action, allowing affected individuals to seek statutory damages. The inclusion of a GIPA subclass in the Tracy v. Elekta settlement is significant because it demonstrates that genetic data breaches carry distinct legal exposure beyond standard negligence claims.

Healthcare technology companies that store or transmit genetic information for Illinois-based providers face heightened liability under GIPA. This settlement adds to a growing body of litigation holding healthcare vendors accountable for protecting patient genetic data — not just medical records.

What This Settlement Means for Healthcare Data Breach Victims

The Tracy v. Elekta settlement reflects a broader trend in healthcare data breach litigation. Ransomware attacks on healthcare infrastructure have increased significantly since 2020, and plaintiffs' attorneys are increasingly naming both the direct target of the attack and the downstream healthcare providers whose patient data was exposed. Holding vendors like Elekta and hospital systems like NMH jointly accountable creates stronger incentives for contractual data security requirements throughout the healthcare supply chain.

For patients whose most sensitive health and genetic information was compromised, the settlement also demonstrates that class action litigation can provide a path to compensation even when proving individual harm is difficult. If you believe your information was affected by a similar data breach, consulting with a consumer protection or privacy attorney can help you understand your options.

Frequently Asked Questions About the Tracy v. Elekta Settlement

What is the Tracy v. Elekta settlement?

It is a $8.9 million class action settlement resolving claims that Elekta, Inc. and Northwestern Memorial Healthcare failed to adequately protect the personal, medical, and genetic data of approximately 497,000 patients affected by a ransomware attack in April 2021.

Has the Tracy v. Elekta settlement been approved?

Yes. The U.S. District Court for the Northern District of Georgia granted final approval on January 9, 2025. No objections or appeals were filed.

When did settlement payments begin?

Distribution of payments to approved claimants began on April 8, 2025.

Who is eligible to receive a payment?

Any individual who received a notice letter about the Elekta data security incident, whose sensitive information was stored on Elekta's network and potentially accessed in April 2021, and who is a U.S. resident.

How much money can class members receive?

Up to $5,000 for documented out-of-pocket losses, up to $1,000 pro rata for GIPA subclass members (Illinois residents who shared genetic data), or up to $1,000 pro rata for all other class members who submit a valid claim.

Can I receive both a GIPA payment and a pro rata payment?

No. Class members must choose one form of cash payment — either the GIPA Cash Payment or the Pro Rata Cash Payment. You cannot receive both.

What is the GIPA subclass?

The GIPA subclass consists of Illinois residents who shared genetic information with Northwestern Memorial Healthcare or another Elekta customer located in Illinois. These individuals have additional claims under the Illinois Genetic Information Privacy Act (GIPA), 410 ILCS 513.

What documentation is needed for an out-of-pocket claim?

Supporting documentation is required, such as bank statements, receipts, tax documents, or other records showing unreimbursed financial losses traceable to the data breach.

Is the claims deadline still open?

No. The claims deadline was December 26, 2024. If you missed the deadline, you are generally not eligible to receive a payment but may contact the Settlement Administrator for further information.

What did Elekta and NMH deny in the lawsuit?

Both defendants deny any wrongdoing and deny liability. They agreed to the settlement to avoid the expense and uncertainty of continued litigation, not as an admission of fault.

What data was exposed in the Elekta breach?

Names, Social Security numbers, dates of birth, addresses, medical records, treatment plans, prescription data, health insurance information, and in some cases genetic information.

What court is overseeing the settlement?

The U.S. District Court for the Northern District of Georgia is presiding over Tracy v. Elekta, Inc., et al., Case No. 1:21-cv-02851.

Disclaimer

This content is for general informational purposes only, is not legal advice, and does not create an attorney-client relationship. Joy Coleman is licensed in Georgia and New Jersey and is not licensed to practice law in Illinois. Readers should consult a qualified attorney licensed in their jurisdiction.

If your personal or medical data was exposed in a data breach, an experienced consumer protection attorney can help you understand your rights and options. Use the Get Matched feature on AttorneyReview.com to connect with a qualified attorney in your area today.