Henry Ford Health System Lawsuits: Privacy & Liability

Three consolidated class action proceedings against the Henry Ford Health System resulted in $152.9 million in aggregate settlements, finalized through 2023–2025, addressing distinct liability theories: patient portal privacy violations (a $12.2 million settlement preliminarily approved in May 2025), data breach response failures (a $700,000 settlement tied to a March 30, 2023 breach), and institutional oversight of privileged physicians ($140 million).

The proceedings, filed between 2023 and 2024, established liability frameworks across patient privacy law, breach notification requirements, and institutional accountability for affiliated physicians. Each case operated independently with separate procedural timelines and settlement structures.

This analysis breaks down the litigation context, settlement mechanics, and legal theories underpinning each proceeding, highlighting how the matters diverged across privacy, breach-notification, and credentialing obligations. 

Henry Ford Health Lawsuits: Institutional Background & Scale

Henry Ford Health is a large not-for-profit healthcare system in Michigan, operating a statewide network of hospitals, outpatient centers, and an affiliated health plan. Its joint venture with Ascension Michigan, completed on October 1, 2024, further expanded the system’s combined hospital and outpatient footprint.

This organizational scale is relevant to litigation because the three proceedings involved different parts of the system: 

1. Patient-facing digital platforms 
2. Internal data-security operations
3. Credentialing oversight for privileged physicians. 

Understanding the system’s size and structure clarifies how liability standards were applied across each independent case.

1. Patient Portal Privacy Lawsuit

The privacy class action alleged Henry Ford Health violated federal and state privacy laws by deploying Meta Pixel, Google Analytics, Google Tag Manager, and Google DoubleClick on authenticated MyChart patient-portal pages. These tools allegedly transmitted the following to third-party platforms without business associate agreements or patient authorization:

• Patient identifiers.
• Appointment details.
• Laboratory information.
• Interaction data from authenticated sessions.

The class included 819,000 MyChart users between January 1, 2020, and December 31, 2023. The distinction between authenticated portal users and general web visitors was central, as courts treat portal activity as protected healthcare communication with heightened privacy expectations.

Plaintiff Legal Theories

Plaintiffs advanced multiple liability theories, including:

• Electronic Communications Privacy Act (ECPA) “intentional interception” claims.
• HIPAA Privacy Rule violations used as standards-of-care predicates.
• State wiretapping breaches.
• Breach of fiduciary duty arising from physician–patient relationships.
• Common-law invasion of privacy torts.
• Unjust enrichment based on unauthorized patient-data commercialization.

Settlement Structure

Henry Ford created a $12.2 million fund, providing:

• $15 cash payments per class member (no proof of damages required).
• One year of Privacy Shield Pro identity-theft protection.
• $1.9 million in attorneys’ fees.
• $1,500 service award to the class representatives.

Henry Ford denied wrongdoing, asserting its analytics practices aligned with industry norms, and resolved the matter without admitting liability. The settlement received final approval on October 7, 2025, following preliminary approval on May 27, 2025.

2. Data Breach Settlement

A separate data security incident involved a targeted email phishing attack around March 30, 2023, in which an unauthorized third party may have gained access to Henry Ford Health's business email accounts containing patient information.

According to court filings and the settlement documents, Henry Ford Health later determined that the incident may have impacted personal information and publicly disclosed the incident “on or around” July 14, 2023, triggering mailed breach notices to affected individuals.

Incident Scope & Data Involved

The settlement defines the “Data Security Incident” as impacting the personal information of roughly 168,000 individuals, with a settlement-class list of 168,294 records produced to the administrator.

“Personal Information” for purposes of the case includes:

• Names, genders, dates of birth, ages, lab results, procedure types, diagnoses, dates of service, telephone numbers,
• Medical record numbers and/or internal tracking numbers.

Class counsel’s declaration confirms that Social Security numbers were not compromised in the incident.

Settlement Structure & Benefits

Under the In re Henry Ford Health System Data Security Litigation settlement, Henry Ford Health agreed to fund a US$700,000 non-reversionary settlement fund.

From that fund, each settlement class member may claim:

• Two years of Credit Monitoring and Insurance Services (CMIS), including one credit-bureau monitoring and US$1,000,000 in identity theft insurance; and
• One of either:
  
  • Reimbursement of Documented Losses up to US$2,500 per person, subject to a US$25,000 aggregate cap (with pro rata reduction if claims exceed that amount), or
  • A pro rata cash payment from the remaining “Cash Fund” portion of the Net Settlement Fund.

Procedural History & Approval

The litigation timeline in federal court unfolded as follows:

• July 19, 2023: Initial data breach lawsuit filed (Pelt v. Henry Ford Health System, later consolidated).
• October 13, 2023 – Consolidated class action In re Henry Ford Health System Data Security Litigation, No. 2:23-cv-11736, is filed in the Eastern District of Michigan.
• February 8, 2024: Parties participate in a full-day mediation before Bennett G. Picker; settlement in principle reached on March 18, 2024.
• June 14, 2024: Class Action Settlement Agreement and Release is executed.
• June 25, 2024: Court grants preliminary approval and authorizes notice to the class.
• October 29, 2024: Court holds the final approval hearing and enters the Final Approval Order and Judgment, approving the settlement and dismissing the action with prejudice.

3. Credentialing Oversight Lawsuit

The most significant exposure stemmed from sexual misconduct allegations against Dr. Oumair Aejaz, a non-employee physician who held privileges at Henry Ford Macomb Hospital. 

Following his August 20, 2024, arrest, investigators reportedly recovered numerous covert patient-recording videos, including recordings of minors as young as two years old. The alleged misconduct spanned at least six years across multiple clinical settings.

Core Liability Theories

Class action complaints filed September 24, 2024, asserted that Henry Ford Health:

• Granted Dr. Aejaz unsupervised access to patients despite red flags,
• Maintained inadequate credentialing and re-credentialing controls, and
• Failed to escalate or investigate complaints consistent with institutional policies.

Because Dr. Aejaz was not an employee, the case did not rely on traditional respondeat superior theories. Instead, plaintiffs argued that hospitals owe independent credentialing, supervision, and investigation duties to patients regardless of employment status.

Settlement Structure

Two coordinated state-court approvals — Wayne County (Judge Gershwin A. Drain) and Macomb County (Judge James Maceroni) — finalized a US$140 million settlement featuring a tiered design:

• US$5,000 base payments to all 8,242 class members (≈ US$41 million total), and
• A US$100 million supplemental fund for individuals able to demonstrate filming or physical assault.

Procedural Timing

Final approvals were entered in October–November 2024. The interval between the August 2024 arrest and the approval of the complete settlement, roughly three months, was notably shortened. The unusual pace suggests both parties anticipated substantial institutional oversight exposure and sought to avoid extended credentialing discovery.

Practice Implications for Medical Malpractice Counsel

Healthcare-liability exposure increasingly hinges on institutional systems, such as credentialing, breach notification, and patient-facing technologies, rather than on individual provider conduct. The Henry Ford matters illustrate how these systems drive discovery strategy, valuation, and institutional defenses.

Credentialing and Oversight Discovery

The physician-oversight settlement underscores that hospitals may face institutional liability even when physicians are privileged rather than employed. Discovery will often center on whether the hospital maintained adequate safeguards and escalation procedures.

Key discovery targets typically include:

• Credentialing and re-credentialing files, including documented evaluations.
• Committee or peer-review materials addressing concerns or clinical issues.

Defense teams should conduct internal credentialing audits early, ensuring retention of long-range documentation where alleged misconduct spans multiple years.

Institutional Exposure Benchmarking

The three Henry Ford matters illustrate how institutional exposure varies sharply across liability categories. Privacy-tracking conduct produces low per-capita values; procedural breach-notification failures produce slightly higher exposure; credentialing failures involving direct patient harm or abuse lead to substantial settlements.

Practitioners can draw valuation insight from:

• The relative severity of institutional oversights, not just clinical outcomes.
• How long the underlying failures persisted, especially for credentialing and supervision.

These patterns help forecast exposure when hospital processes, not individual provider negligence, drive the liability theory.

Evidence Preservation and Incident-Response Records

The data breach case’s 47-day detection gap and the misconduct case’s rapid sequence from arrest to settlement highlight how evidence preservation influences strategy and risk calculation. Early preservation letters often become critical.

Counsel should prioritize securing:

• Incident-response documentation and access-log records reflecting detection and escalation.
• Internal communications concerning delayed notifications or failed safeguards.

Where institutional workflows appear central to the alleged harm, preservation must begin immediately.

Expansion of Institutional Liability Theories

Across the three proceedings, courts examined liability tied to technology deployment, breach-notification procedures, and physician-privilege oversight. These matters show that institutional accountability extends well beyond employment relationships or direct clinical actions.

Key implications include:

• Hospitals may face liability for vendor-technology practices, including analytics tools and tracking pixels.
• Non-employee physicians can still trigger credentialing-based institutional exposure when oversight mechanisms break down.

This broader framework is increasingly central in modern malpractice and healthcare liability litigation.

Institutional Liability Trends in Healthcare Litigation

The three Henry Ford proceedings demonstrate the expanding scope of institutional accountability across digital privacy, cybersecurity practices, and medical-staff oversight. They show how liability increasingly centers on the systems and structures that govern patient interactions—analytics tools, breach-response procedures, and credentialing mechanisms—not only direct clinical care.

For malpractice practitioners, these cases offer a contemporary framework for evaluating institutional exposure, structuring discovery, and situating case valuation within emerging healthcare-liability trends.

Read about more medical malpractice cases in our analysis of the Philips CPAP settlement.