The breach affected nearly 570,000 individuals and has now resulted in a class action settlement offering financial and identity protection benefits.
What happened
Northbay Healthcare Corporation has agreed to a $3.6 million settlement to resolve a class action lawsuit related to a cyberattack and data breach that occurred in early 2024. The breach was first detected on February 23, 2024, though forensic investigations revealed that an unauthorized party had accessed the network from January 11 to April 1, 2024.
The breach exposed protected health information (PHI) of approximately 569,012 individuals, including names, dates of birth, Social Security numbers, medical and insurance details, biometric data, financial information, and login credentials.
Going deeper
Following the breach, a lawsuit, McCalmon v. Northbay Healthcare Corporation, was filed in California’s Solano County Superior Court. Plaintiffs alleged Northbay failed to implement reasonable security measures and brought claims including negligence, breach of implied contract, unjust enrichment, and violation of California’s Unfair Competition Law.
While denying any wrongdoing, Northbay agreed to the settlement to avoid the ongoing costs and business disruptions of litigation. The $3.6 million fund will cover attorneys’ fees (up to one-third of the total), administrative costs, a $5,000 class representative award, and benefits to impacted individuals.
Eligible class members will receive three years of credit and dark web monitoring, identity recovery services, and up to $1 million in identity theft insurance. They may also choose one of two compensation options: reimbursement for up to $4,000 in out-of-pocket breach-related expenses, or a $100 cash payment (adjusted depending on the number of claims submitted).
What was said
Northbay continues to deny all allegations and maintains that it committed no wrongdoing. The settlement was reached as a compromise to avoid further legal proceedings. Deadlines for class members include September 30, 2025, to object or opt out, and October 14, 2025, to file a claim. The final settlement approval hearing is set for October 29, 2025.
The big picture
According to Businesswire, Scott Cole, the principal attorney on the case, called attention to the seriousness of the breach: “The combination of biometric, financial, and medical data that were accessed in this data hack makes this situation unique.” He also pointed out, “Despite [the] hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.”
FAQs
What is a class action settlement and how does it work?
A class action settlement resolves claims for a group of individuals (the "class") affected by the same issue. Rather than filing individual lawsuits, class members receive benefits or compensation from a shared settlement fund if they file a valid claim.
What if I already took steps to protect my identity after the breach?
You may still qualify for reimbursement of out-of-pocket expenses up to $4,000, even if those actions were taken before the settlement was finalized such as credit monitoring or identity theft recovery services.
Can individuals still sue Northbay separately?
Only if they opt out of the class action by the deadline (September 30, 2025). Once the settlement is approved and finalized, class members who did not opt out waive their right to pursue separate claims related to this breach.
Will everyone automatically get the $100 cash option?
No. The $100 is subject to change depending on the total number of valid claims filed. If fewer people file claims, the amount may increase. If many file, it may decrease proportionally.
Why is biometric and medical data considered especially sensitive?
Unlike passwords or ID numbers, biometric data (like fingerprints) and medical histories are permanent and cannot be changed. Their exposure increases the long-term risk of privacy violations and misuse.
Farah Amod
