City of Oakland Agrees Settlement to Resolve Class Action Data Breach Lawsuit
The City of Oakland in California has agreed to settle litigation stemming from a ransomware attack and data breach that affected more than 13,000 current and former employees. The attack was detected in February 2023, and notification letters were sent to the affected employees in early March 2023.
The Play ransomware group claimed responsibility for the attack, which forced the city to shut down its IT systems, resulting in a state of emergency being declared in the city. The ransomware group released the stolen data on its data leak site when the city refused to pay the ransom. Among the leaked data was the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware group gained access to the network after employees responded to phishing emails.
Several lawsuits were filed in response to the breach, alleging the city was negligent by failing to implement appropriate safeguards to protect its network and data. The city maintains there was no wrongdoing; however, it agreed to settle the litigation to prevent further legal costs and avoid the risks and uncertainties associated with any litigation. The city had already offered complimentary credit monitoring and identity theft protection services to the affected individuals; however, those services have been extended, with all class members entitled to receive three years of three-bureau credit monitoring services.
The settlement also includes compensation for out-of-pocket expenses and lost time. Claims can be submitted for reimbursement of ordinary losses, including credit report and credit monitoring costs up to $350 per person, which may include up to three hours of lost time at $25 per hour. Claims may also be submitted for extraordinary losses up to $10,000 per claimant, which can include documented losses to identity theft and fraud. Individuals who served as police officers will receive a cash payment of $175, regardless of whether they suffered any losses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 3, 2025.
June 5, 2023: City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack
Multiple class action lawsuits have been filed against the city of Oakland in California over a ransomware attack and data breach that involved the theft of the personal and protected health information of 13,000 current and former employees. The ransomware attack was detected on February 8, 2023, and forced the city to shut down its systems to contain the attack, resulting in a state of emergency being declared in the city. Systems remained offline for weeks due to the attack, with the recovery process taking months.
The Play ransomware group took credit for the attack and started leaking some of the stolen data to pressure the city into paying the ransom. Initially, 10 gigabytes of stolen data was released on the group’s dark web data leak site, followed by a massive data dump of 600 gigabytes when the city continued to refuse to pay the ransom. The leaked data included the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware attack is understood to have started with phishing emails.
Multiple class action lawsuits have been filed against the city on behalf of victims of the data breach that allege the city failed to implement appropriate security measures to keep employees’ private information confidential, with several victims of the breach claiming they have had their identities stolen and have experienced credit card fraud. The city has offered complimentary credit monitoring services to affected employees and has started to improve security, including implementing a training program for the workforce to improve resilience to phishing attempts.
A lawsuit was filed by the Oakland police officers’ union that alleges the city failed to provide important information about the extent of the incident and the types of data stolen in the attack, and seeks monetary compensation and extended credit monitoring and identity theft protection and restoration services. Another lawsuit names Hada Gonzalez as lead plaintiff, a police services technician, who alleges the city was negligent for failing to protect against the attack. The lawsuit alleges data breach notification failures and violations of the HIPAA Security Rule. As a result of the negligence, the plaintiffs and class members claim they have suffered ongoing, imminent, and impending threats of fraud, identity theft, and abuse of their data, resulting in monetary losses and economic harm. The lawsuit seeks an award of damages and injunctive relief, including the requirement for the city to maintain a comprehensive information security program, encrypt sensitive data, undergo third-party security audits, establish an information security training program, and implement other security measures.
