Community Care Alliance settles ransomware lawsuit for $1.09 million

The Rhode Island nonprofit will compensate victims of a 2024 cyberattack that exposed nearly 115,000 patient records.

What happened

Community Care Alliance (CCA), based in Woonsocket, Rhode Island, has agreed to a $1.09 million class action settlement following a ransomware attack by the Rhysida group in July 2024. The group accessed CCA’s systems between July 1 and July 5, exfiltrating protected health information on 114,975 individuals. The stolen data included names, birth dates, Social Security numbers, medical records, insurance details, and more.

The lawsuit, Flacco v. Community Care Alliance, alleged that CCA failed to implement reasonable cybersecurity measures that could have prevented the breach. Although CCA denies wrongdoing, it opted to settle in order to avoid prolonged litigation and trial uncertainty.

Going deeper

Rhysida, a known ransomware group, employs double extortion tactics: it steals data, encrypts systems, and demands payment for both decryption and deletion. Unlike many groups that leak data outright, Rhysida attempts to sell stolen datasets via online auctions, only releasing them publicly if no buyer emerges. The group claimed to have stolen 2.5 terabytes of CCA data.

The settlement fund will be used for attorney fees, legal costs, administrative expenses, and payments to affected individuals. Eligible class members can:

• Submit claims for out-of-pocket losses (up to $5,000) related to the breach
• Opt for a flat $100 cash payment (adjusted based on total claims)
• Receive two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection

What was said

CCA has not admitted liability but stated that the settlement is intended to resolve the matter efficiently. The final fairness hearing is set for October 8, 2025. Affected individuals must file claims by October 1 and may opt out or object by September 2. The court has already granted preliminary approval.

The big picture

The Community Care Alliance settlement shows how a single ransomware attack can lead to significant financial and legal fallout. Although the organization denies liability, the $1.09 million fund will cover victim compensation, legal fees, and credit protection services for over 100,000 affected individuals. The case also demonstrates how breach response now includes technical recovery, legal resolution, and long-term patient communication. For CCA, the settlement offers closure without a trial, but the reputational impact may continue beyond the court process.

FAQs

Who qualifies as a class member in this case?

Anyone whose personal or health data was exposed in the July 2024 breach at Community Care Alliance is considered part of the class.

What documentation is needed to claim reimbursement for losses?

Class members must provide receipts or records of out-of-pocket expenses, such as fraud-related charges or credit monitoring purchased after July 29, 2024.

Can someone claim both the $100 payment and reimbursement for losses?

Yes. Individuals can claim both, but the final payment amounts may vary based on the number of total valid claims.

What kind of credit and identity protection services are being offered?

The settlement includes two years of three-bureau credit monitoring, dark web monitoring, identity theft insurance, and related protection tools.

What happens after the final fairness hearing in October?

If the settlement is granted final approval, payments and benefits will begin to be distributed to eligible class members shortly after.