Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit
Behavioral Health Resources, a behavioral and mental health services provider serving patients in Thurston County, Olympia, in Washington state, has agreed to settle a consolidated class action lawsuit stemming from a data incident identified on November 20, 2024. The forensic investigation confirmed unauthorized access to its technology systems, resulting in the exposure and potential theft of the personal and protected health information of 50,083 current and former patients. The affected individuals were notified about the incident in January 2025.
Several class action lawsuits were filed in response to the data breach, the first of which was filed by plaintiff Carol Walker in the Superior Court of Thurston County, Washington. Separate class action complaints were subsequently filed by plaintiffs Rebecca A. Campos, Adam Shotswell, Smukweshun Okena, and Kim Ridgway. The lawsuits were consolidated into a single complaint – Walker et al. v. Behavioral Health Resources.
The plaintiffs allege that Behavioral Health Resources failed to implement reasonable and appropriate cybersecurity measures to protect patients’ protected health information, in violation of federal and state laws. Behavioral Health Resources maintains that there was no wrongdoing, that the class representatives and the class members have not suffered any damages as a result of the data breach, and the defendant denies that the complaint meets the requirements to be tried as a class action lawsuit. Following mediation and subsequent negotiations, all parties agreed to settle the litigation to avoid further legal costs and the uncertainty of a trial. The settlement was agreed upon by all parties on August 25, 2025, and has been granted preliminary approval by the court.
Behavioral Health Resources has agreed to establish a $1.1 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. After those costs have been deducted, the remainder of the settlement will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Class members can also submit a claim for reimbursement of attested lost time of up to five hours at $25 per hour, and a one-time cash payment, which is expected to be approximately $100 per class member, but may be higher or lower, depending on the number of valid claims.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members are also eligible to enroll in the CyEx Medical Shield Total medical data monitoring service for three years, which includes a $1 million identity theft insurance policy. The final approval hearing has been scheduled for February 6, 2026. The opt-out and objection deadline is December 13, 2025, and the claim deadline is January 1, 2026.
