Community Care Alliance Agrees to Pay $1.09 Million to Settle Class Action Ransomware Lawsuit
Woonsocket, RI-based Community Care Alliance has agreed to pay $1,090,000 to resolve a class action lawsuit over a July 2024 ransomware attack by the Rhysida ransomware group.
Rhysida is a ransomware group that engages in double extortion tactics, stealing data and encrypting files. A ransom demand is issued, payment of which is required to obtain the decryption keys and to have the stolen data deleted. In contrast to many other groups that simply leak the stolen data if the ransom is not paid, Rhysida holds auctions and attempts to sell the stolen data, only leaking the stolen data if a sale cannot be secured. Rhysida claimed to have exfiltrated a 2.5 terabyte database in the attack.
Community Care Alliance discovered the attack on July 6, 2024, and determined that the ransomware group had access to its network from July 1, 2024, to July 5, 2024. During that time, data was exfiltrated, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnosis and condition information, lab test results, medications, health insurance information, and other sensitive data. The Community Care Alliance data breach involved the protected health information of 114,975 individuals.
A lawsuit – Flacco v. Community Care Alliance – was filed in the Superior Court for the State of Rhode Island, Providence County, that alleged Community Care Alliance was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that the ransomware attack could have been prevented if those measures had been implemented. The lawsuit also asserted claims of breach of implied contract and unjust enrichment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Community Care Alliance denies all wrongdoing and liability; however, it chose to negotiate a settlement to bring the litigation to an end to prevent further costs from protracted litigation and the uncertainty of the outcome at trial. A $1.09 million settlement fund will be established, out of which attorneys’ fees ($363,333.33), legal costs and expenses, settlement administration costs, and a service award for the named plaintiff ($2,500) will be deducted. The remainder of the fund will be used to pay benefits to the class members.
Class members may submit a claim for reimbursement of documented monetary losses incurred due to the data breach after July 29, 2024, which can include costs and charges, losses due to fraud and identity theft, and other costs reasonably related to the data breach. The claims are capped at a maximum of $5,000 per class member.
Class members can also choose to receive a cash payment of $100 in addition to or instead of a claim for reimbursement of losses. The cash payments may be higher or lower based on the number of valid claims and will be paid pro rata. In addition to those benefits, class members may also claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection and insurance services.
The deadline for opting out of and objecting to the settlement is September 2, 2025. Claims must be submitted by October 1, 2025, and the final fairness hearing has been scheduled for October 8, 2025. The settlement has already received preliminary approval from the court.
