Omni Family Health, a network of 39 community health centers in Kern, Kings, Tulare, and Fresno counties in California, experienced a cyberattack in 2024. A $6.5 million settlement has recently been agreed to resolve the resultant class action litigation.

Omni Family Health experienced a cyberattack in February 2024 that caused a 5-day outage of its IT systems. The cyberattack was investigated at the time; however, no evidence was found to indicate that any patient data had been compromised in the incident. On August 7, 2024, Omni Family Health was made aware that a threat actor (Hunters International) had claimed to have compromised its network and had posted data allegedly stolen in the attack on the dark web.

Omni Family Health investigated and concluded that the data was real and issued notifications to the 468,344 affected individuals, who included current and former patients and employees. Data potentially stolen in the attack included names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information. The affected individuals were notified about the data breach on October 10, 2024.

The first three class action lawsuits were filed in the Eastern District of California on October 20, 2024, and subsequently, 19 separate actions were filed in the Superior Court of the State of California, Kern County. All 21 actions were consolidated into a single action first in the Eastern District of California, and were then remanded to the Superior Court on January 14, 2025, with the case Pace v. Omni Family Health designated as the lead case.

Omni Family Health denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. Despite believing that it had good defenses to all of the claims, Omni Family Health moved to settle the litigation to avoid the time, expense, risk, exposure, inconvenience, and uncertainty of a trial and related appeals. Class counsel evaluated the costs, risks, and uncertainty of continuing with the litigation, and based on an analysis of comparable settlements, determined that the settlement was in the best interests of all class members. The settlement has recently been granted preliminary approval by the court, and the final fairness hearing has been scheduled for February 26, 2026.

Omni Family Health has agreed to establish a $6,500,000 settlement fund, from which attorneys’ fees and expenses (approximately $2.2 million), class representative awards ($1,500 per named plaintiff, totaling $30,000), and settlement notification and administration costs will be deducted. The remainder of the settlement will be used to pay benefits to the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which has been calculated to be $105.56 per class member based on a 4% claim rate. All class members are also entitled to claim two years of single-bureau credit monitoring and identity theft protection services, and members of the California resident subclass may claim an additional pro rata cash payment of $100. The cash payments may be adjusted based on the number of valid claims received, and will be calculated after credit monitoring costs have been deducted from the settlement fund.

Omni Family Health has also agreed to implement changes to its business practices and make several security enhancements to prevent similar incidents in the future. The cost of those security enhancements will not be paid from the settlement fund. Individuals wishing to object to the settlement or exclude themselves have until December 5, 2025, to do so, and claims must be submitted by January 5, 2026.

The post $6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.