A Chicago anti-poverty organization and associated companies have agreed to a $300,000 settlement to resolve a class action lawsuit filed in response to a 2022 data breach. On or around December 15, 2022, Heartland Alliance disclosed a data security incident and mailed notification letters on or around December 21, 2022. An unauthorized third party had access to its network, where files containing sensitive data were stored. Those files contained names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, and medical/health information. While the data breach was announced in December 2022, the hackers gained access to the network on January 26, 2022. Heartland Alliance reported the data breach to the HHS’ Office for Civil Rights as involving the protected health information of 46,694 individuals.

A lawsuit was filed against the several Heartland entities – Wittmeyer et al. v. Heartland Alliance for Human Needs & Human Rights, Heartland Alliance Health, Heartland Alliance International, LLC, Heartland Housing, Inc., and Heartland Human Care Services, Inc. – in the Circuit Court for Lake County, Illinois, County Department, Chancery Division over the data breach. The plaintiffs alleged that the defendants were negligent due to failing to implement reasonable security measures pursuant to HIPAA, the FTC Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act.

The lawsuit also asserted claims of negligence per se, related to the lack of encryption or equivalent safeguards as required by HIPAA, breach of contract, breach of implied contract, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. The defendants deny all claims and contentions in the litigation and maintain there was no wrongdoing; however, a settlement was agreed after considering the costs, expenses, distraction, and risks associated with continuing with the litigation.

Under the terms of the settlement, class members may claim compensation for documented, unreimbursed losses of up to $6,000. That includes up to $1,000 for ordinary losses and up to $5,000 for extraordinary losses due to identity theft and fraud. Claims may also be submitted for up to three hours of lost time at $22.50 per hour as compensation for time spent resolving issues related to the data breach. The settlement also includes two years of three-bureau credit monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for November 19, 2025. Individuals wishing to object to or exclude themselves from the settlement must do so by September 30, 2025, and claims for compensation, lost time, and credit monitoring services must be submitted by October 30, 2025. Further information can be found on the settlement website: https://heartlanddatasettlement.com/

The post Heartland Alliance Agrees to Data Breach Settlement appeared first on The HIPAA Journal.