Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation
Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.
Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.
The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.
Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.
In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.
