$3.5 Million Mindpath Health Data Breach Settlement Gets First Nod
A California Superior Court judge has given preliminary approval to a settlement to resolve litigation against Community Psychiatry Management, LLC, operating as Mindpath Health, to resolve a class action lawsuit stemming from two email data breaches in 2022 that affected 193,947 individuals.
Mindpath Health is a California-based mental health service provider serving patients in seven U.S. states. In March 2022 and again in June 2022, unauthorized individuals gained access to Microsoft Office 365 business accounts that contained the protected health information of Mindpath Health patients and other individuals. The breach was discovered in June during a routine audit of its email environment, which identified suspicious account activity.
The investigation confirmed that two email accounts had been subject to unauthorized access in March and June 2022, exposing names, addresses, Social Security numbers, dates of birth, medical diagnoses, prescriptions, treatment information, and health insurance information. Notification letters were sent to the affected individuals on January 10, 2023, almost seven months after the breach was identified
A class action lawsuit was filed in the Eastern District of California by plaintiff Corina Lowrey on January 30, 2023, followed by two further complaints from other Mindpath Health patients. The lawsuits were consolidated into a single complaint – Lowrey, et. al., v. Community Psychiatry Management, LLC – in the Superior Court of California, County of Los Angeles.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiffs claimed that the breach was a direct consequence of cybersecurity failures by the defendant, with the lawsuit asserting claims of negligence, breach of fiduciary duty, breach of implied contract, breach of confidence, unjust enrichment/quasi-contract, and violations of the California Constitutional Right to Privacy, California Confidentiality of Medical Information Act, California Unfair Competition Law, California Consumer Records Act, California Consumer Privacy Act, and California Consumer Legal Remedies Act.
The defendant maintains that there was no wrongdoing and disagrees with all claims and contentions in the lawsuit; however, following two full-day mediation sessions, all parties reached an agreement to settle the litigation to avoid further legal expenses from what would likely be protracted litigation and the uncertainty of trial and related appeals.
Under the terms of the settlement, the defendant will establish a $3.5 million settlement fund from which attorneys’ fees ($1,166,666.67) and expenses (up to $35,000), settlement administration costs (up to $202,900), and service awards ($5,000 for each of the three plaintiffs) will be deducted. The remainder of the settlement will be used to pay for benefits for the class members.
Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $1,500 per class member, and up to $10,000 as reimbursement for documented, unreimbursed extraordinary losses, including losses due to identity theft and fraud. All class members who submit a valid claim are entitled to three years of credit monitoring services.
As an alternative to the credit monitoring services, class members can choose to receive a pro rata cash payment, expected to be approximately $50. The cash payments may be adjusted upwards or downwards depending on the number of valid claims received. Individuals who were California residents at the time of either of the two email security incidents may claim an additional pro rata cash payment of $50. These payments may also be adjusted based on the number of valid claims received.
The final approval hearing has been scheduled for February 19, 2026. Individuals wishing to object to the settlement, exclude themselves, or submit a claim for benefits must do so by January 5, 2026.
