Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation
Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information.
The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and health insurance information had been exposed and potentially stolen.
Two class action lawsuits were filed in response to the breach, which were consolidated into a single complaint – In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation – in the Court of Common Pleas for Hamilton County, Ohio. The consolidated complaint alleged the defendant had failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all claims of wrongdoing and liability.
All parties attended mediation, and while a settlement was not agreed upon, following months of continued negotiations, a settlement in principle was agreed to resolve the litigation that was acceptable to all parties. The settlement agreement has recently received preliminary approval from the court. Under the terms of the settlement, GCBHS has agreed to pay a maximum of $850,000 to resolve the litigation, inclusive of attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. There are approximately 61,850 individuals in the settlement class.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may submit a claim for reimbursement of documented, unreimbursed losses up to a maximum of $5,000 per class member. A pro rata cash payment can be claimed, which is expected to be in the range of $60 to $120. Additionally, all class members are entitled to claim a one-year subscription to the three-bureau CyEx Medical Shield service. The deadline for objection to and exclusion from the settlement is November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final approval hearing has been scheduled for January 14, 2026.
