In a significant legal development, a class action lawsuit has been filed against a prominent health system for allegedly failing to protect sensitive patient information. The complaint was lodged by Melissa Crider on December 4, 2025, in the United States District Court for the Western District of Wisconsin, targeting Marshfield Clinic Health System, Inc. This case highlights critical concerns about data security practices within healthcare institutions.
The lawsuit stems from an alleged data breach that compromised the personal and health information of current and former patients. According to the complaint, Marshfield Clinic Health System detected unauthorized access to its systems on or around August 27, 2025. However, it reportedly delayed notifying affected individuals until November 2025. The compromised data includes names, birth dates, addresses, phone numbers, insurance ID numbers, and detailed medical records. Crider claims that this breach has left her and others at heightened risk of identity theft and fraud. “Plaintiff and Class Members are now at a significantly increased and certainly impending risk of fraud,” states the complaint.
Crider accuses Marshfield Clinic Health System of negligence for failing to implement adequate security measures despite being aware of the risks associated with storing sensitive information in an unencrypted environment accessible via the internet. The plaintiff alleges that Marshfield’s actions violated several laws including Section 5 of the Federal Trade Commission Act (FTC Act) which prohibits unfair practices affecting commerce. Furthermore, she asserts that Marshfield breached implied contracts with patients by not safeguarding their private information as promised.
The lawsuit seeks damages for negligence, negligence per se, breach of implied contract, unjust enrichment, and declaratory judgment arising from the data breach. Crider is asking for injunctive relief requiring Marshfield to adopt sufficient practices to safeguard private information in its custody to prevent future incidents like this one from occurring again. Additionally, she demands that Marshfield provide lifetime identity theft protective services to all affected individuals.
Representing Crider in this case are attorneys Gerald D. Wells III and Robert J. Gray from Lynch Carpenter LLP based in Philadelphia. The case has been assigned Civil Action No. 3:25-cv-00996 under Judge’s supervision at the United States District Court for the Western District of Wisconsin.
Source: 325cv00996_Crider_v_Marshfield_Clinic_Health_System_Inc_Complaint_Western_District_Wisconsin.pdf
