Northbay Healthcare Settles Data Breach Litigation for $3.6 Million
A settlement has been approved to resolve class action litigation against Northbay Healthcare Corporation over a 2024 cyberattack and data breach that affected almost 570,000 individuals.
Northbay Healthcare identified suspicious activity within its computer network on February 23, 2024. The forensic investigation confirmed that an unauthorized third party had access to the network between January 11, 2024, and April 1, 2024, during which time sensitive data was exfiltrated from the network. The Northbay Healthcare data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 569,012 individuals. Data compromised in the incident included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, medical information, health insurance information, biometric information, usernames/passwords, financial account numbers, and credit/debit card numbers.
A lawsuit – McCalmon v. Northbay Healthcare Corporation – was filed in the Superior Court for the County of Solano, California, over the data breach. The lawsuit alleged negligence due to the failure to implement reasonable and appropriate security measures to keep sensitive patient data private and confidential. The lawsuit also asserted claims of breach of implied contract, unjust enrichment, and a violation of California’s Unfair Competition Law (Cal. Bus. Prof. Code § 17200).
Northbay Healthcare denies all claims and contentions in the complaint and maintains there was no wrongdoing; however, a settlement was agreed to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to business operations from continuing with the litigation. Under the terms of the settlement, Northbay Healthcare will establish a $3,600,000 settlement fund out of which attorneys’ fees (up to one-third of the settlement amount), legal costs and expenses, the class representative award ($5,000), and settlement administration costs will be deducted. The remaining funds will be used to pay for benefits for class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All class members are eligible to receive three years of credit monitoring, dark web monitoring, and identity recovery services, which include a $1,000,000 identity theft insurance policy. Class members may choose one of two benefits: Reimbursement of out-of-pocket expenses due to the data breach, up to a maximum of $4,000 per class member, or a flat cash payment of $100, subject to a pro rata increase or decrease depending on the number of valid claims received.
Individuals wishing to object to the settlement or exclude themselves must do so by September 30, 2025. The deadline for submitting a claim is October 14, 2025, and the final approval hearing is scheduled for October 29, 2025.
