Northbay Healthcare Corporation agreed to a settlement to resolve a class action lawsuit associated with a 2024 cyberattack and data breach that impacted approximately 570,000 people.
Northbay Healthcare discovered suspicious activity inside its computer system on February 23, 2024. According to a forensic investigation, an unauthorized third party accessed the network from January 11, 2024, to April 1, 2024, and exfiltrated sensitive information from the network. Northbay Healthcare reported the data breach to the HHS’ Office for Civil Rights, stating that the protected health information (PHI) of 569,012 individuals was impacted. Breached data (which are classified as PHI under HIPAA) included the following: names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, medical data, medical insurance data, biometric data, financial account numbers, usernames/passwords, and credit/debit card numbers.
The plaintiffs filed the McCalmon v. Northbay Healthcare Corporation lawsuit in the Superior Court for the County of Solano in California. The lawsuit claimed negligence due to the inability to apply acceptable and proper security procedures to secure the privacy and confidentiality of sensitive patient information. The lawsuit likewise stated claims of breach of the Unfair Competition Law in California (Cal. Bus. Prof. Code § 17200), unjust enrichment, and breach of implied contract.
Northbay Healthcare rejects all claims and arguments in the complaint and asserts there was no wrongdoing. Even so, the parties agreed to settle to avoid increasing litigation expenses, disruptions, burden, expenditure, and interruption to business operations with an ongoing litigation. As per the settlement terms, Northbay Healthcare will create a $3,600,000 settlement fund, which will cover attorneys’ fees (approximately 33% of the fund), legal costs and expenditures, the settlement administration costs, and the class representative award ($5,000). The outstanding funds are allocated for the benefit of class members.
All class members are provided with dark web monitoring, credit monitoring, and identity recovery services for three years, plus a $1,000,000 identity theft insurance coverage. Class members can select one from these two benefits: Compensation of out-of-pocket expenditures because of the data breach, around $4,000 per class member, or a fixed $100 cash payment, computed pro rata based on the number of legitimate claims received.
People can file their objection to or exemption from the agreement until September 30, 2025. The last day for filing a claim is October 14, 2025. The schedule of the final approval hearing is October 29, 2025.
Image credit: CreativeIMGIdeas, Adobestock / logo©NorthbayHealthcare
