WellNow Urgent Care (earlier known as Five Star Urgent Care), a community of walk-in urgent care centers in Illinois, New York, Ohio, and Michigan, has decided to pay $4.4 million to resolve a class action lawsuit. The lawsuit is associated with a cyberattack and data breach discovered on or about April 25, 2023, after ransomware was used to encrypt patient files. The attacker stole data including names, birth dates, state ID/driver’s license data, Social Security numbers, medical and insurance details, banking data, and biometric information.
The data breach likewise affected the following companies:
- ADMI Corp. dba TAG or The Aspen Group (WellNow Urgent Care’s parent company)
- Aspen Dental Management
- Aspen Dental
- Physicians Immediate Care
- Physicians Immediate Care Chicago
The attack resulted in the compromise of the protected health information (PHI) of about 597,000 people. Notification of the persons affected by the data breach and potential HIPAA violation began in February 2024.
In March 2024, plaintiffs Genevieve Tambroni, James Beach, John Lattimore, as father for minor children S.L. and V.L., Ella Williams, Claudine King, Caitlin McDaniel, Wesley Lumpkins, and Ian Curro filed lawsuits in association with the data breach in the United States District Court for the Northern District of Illinois and the Circuit Court of Cook County, Illinois. The lawsuits alleged negligence, breach of the implied covenant of good faith and fair dealing, unjust enrichment, and breach of implied contract. The consolidated lawsuit Tambroni, et al. v WellNow Urgent Care, P.C., et al was filed in the Circuit Court for Sangamon County, Illinois.
The defendants rejected and still reject all claims and allegations in the lawsuits and all accusations of liability and wrongdoing. They filed a motion to dismiss the lawsuits, but it was not successful. All parties agreed to resolve the lawsuit to avoid continuing with the lawsuit that would probably be prolonged and have a costly, uncertain result.
There are two classifications in the settlement class. Most class members, about 541,870 individuals, belong to the non-SSN subclass because their Social Security numbers were not compromised. The other 55,131 class members belong to the SSN subclass because their Social Security numbers were compromised. The non-SSN subclass will receive benefits capped at $3.3 million, while the SSN class will receive benefits capped at $1.1 million. 90% of attorneys’ service fees, expenses, and service awards will be taken from the non-SSN settlement fund, and the remaining 10% will be taken from the SSN settlement fund. The total amount of attorneys’ fees and expenses is $1,452,000. The service award to be received by each plaintiff is $2,000.
Non-SSN subclass members are qualified to file claims for expenses reasonably linked to the data breach and approximately 2 hours of lost time valued at $25 an hour. Claims for extraordinary out-of-pocket expenditures, up to $7,500, may be filed per claimant. SSN subclass members could file a claim for about 3 hours of lost time valued at $25 an hour, and extraordinary out-of-pocket costs up to $7,500 per claimant. Another option, instead of filing a claim for lost time and refund of extraordinary out-of-pocket costs, SSN subclass members could decide to get a pro rata cash payment. The pro rata cash payment amount will depend on the settlement fund left after deducting all payments for claims and expenses.
The court has given preliminary approval of the settlement. The schedule of the final fairness hearing is August 15, 2025. Claimants can expect payment within 75 days of the court’s final approval. People who object to or exclude themselves from the settlement should do so on or before July 11, 2025. Claims should be filed on the same date as well. Class members who don’t do anything will not get a refund. More information is available on the settlement website: wellnowdatasecuritysettlement.com.
Image credit: M. Suhail, AdobeStock
