A significant data breach has compromised the sensitive personal and health information of numerous individuals, leading to a class action lawsuit against a major educational and healthcare institution. Nicole Kritzer filed the complaint on November 21, 2025, in the United States District Court for the Middle District of North Carolina against The University of North Carolina at Chapel Hill, its hospitals, and its healthcare system.
The lawsuit stems from a cyberattack that occurred around July 24, 2025, which exposed personally identifiable information (PII) and protected health information (PHI) of patients and employees. According to Kritzer’s complaint, the breach was facilitated by a faculty member at the University’s School of Medicine who fell victim to a phishing attack. This allowed cybercriminals access to an email account containing sensitive data such as names, birth dates, diagnosis details, and potentially more critical information like Social Security numbers and financial account details. Despite discovering the breach on the same day it occurred, defendants delayed notifying affected individuals until September 19, 2025.
Kritzer accuses the defendants of failing to implement adequate cybersecurity measures despite being aware of potential risks. The complaint alleges that their negligence in securing sensitive data violated various laws including HIPAA regulations designed to protect patient privacy. Kritzer argues that this failure resulted in substantial harm to her and other class members who now face increased risks of identity theft and fraud. She highlights how criminals can misuse stolen PII for fraudulent activities like opening new credit accounts or filing false tax returns.
The plaintiff seeks compensatory damages for financial losses incurred due to identity theft risks along with reimbursement for out-of-pocket expenses related to monitoring credit reports. Additionally, she demands injunctive relief requiring defendants to enhance their data security systems through regular audits and provide long-term credit monitoring services funded by them.
Representing Kritzer is legal counsel skilled in handling class actions involving data breaches while defendants will likely rely on experienced attorneys specializing in defending complex litigation cases involving large institutions like universities or healthcare systems. The case has been assigned Case No.: 1:25-cv-01067 under Judge [Name] with attorneys [Names] representing both parties involved.
Source: Kritzer_v_University_of_North_Carolina_Complaint_Middle_District_North_Carolina.pdf
