25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Balance Autism Settles Class Action Data Breach Lawsuit

Posted By on Mar 23, 2026

Balance Autism has agreed to settle a class action lawsuit stemming from a security incident that exposed patient information. Altoona, Iowa-based Balance Autism identified a cybersecurity incident on or around March 17, 2025, that resulted in a data breach. Hackers had access to its network from March 11, 2025, to March 17, 2025, and obtained access to data such as names, dates of birth, Social Security numbers, health insurance information, and Medicaid numbers. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,281 individuals.

A class action lawsuit – Bennett v. Balance Autism – was filed in the Iowa District Court for Polk County by plaintiff Andrea Bennett, individually and on behalf of other similarly affected individuals. The lawsuit alleged that the cybersecurity incident resulted from the defendant’s negligence in failing to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and invasion of privacy. The defendant denies all claims and contentions in the lawsuit, including allegations of fault, wrongdoing, and liability; however, following mediation, a settlement was agreed that was acceptable to all parties to bring the litigation to an end.

Under the terms of the settlement, Balance Autism has agreed to pay for two years of credit monitoring and identity theft protection services and will accept claims from the affected individuals for up to $400 as reimbursement for out-of-pocket losses due to the data breach, and up to four hours of lost time at $20 per hour. Alternatively, instead of submitting a claim for reimbursement of losses and lost time, class members may submit a claim for a cash payment, which is estimated to be $50, but may be lower, depending on the number of claims received.

The deadline for exclusion and objection is May 1, 2026; the claims deadline is June 1, 2026; and the final approval hearing has been scheduled for June 12, 2026.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist