The settlement comes after a third-party data breach took place in 2023.
What happened
Rancho Family Medical Group (RFMG), a healthcare group based in Southern California, is agreeing to a 315K settlement regarding a data breach that led to a server outage and leaked information.
According to RFMG’s initial notice, the healthcare organization was informed of a data breach on January 11th, 2024, that impacted KMJ Health Solutions. KMJ Health is a third-party technology partner offering sign-out systems for healthcare professionals, billing systems, and more. While KMJ Health notified RFMG of the breach in early 2024, the incident took place on November 19th, 2023.
KMJ was unable to determine what data had been impacted, but RFMG was able to. The incident impacted information including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes.
The breach impacted patients across a ten-year period, ultimately approximately 11,500 individuals.
What’s new
Following the incident, the plaintiff filed a lawsuit on June 17th, 2024, after receiving the notice. The lawsuit alleged that RFMG violated the Confidentiality of Medical Information Act (CMIA) and California’s unfair competition law.
RFMG agreed to participate in a mediation with the plaintiff, which took place on October 17th, 2024, and ultimately led to the agreed upon settlement. As part of the settlement, RFMG maintains no wrongdoing.
Under the agreement, class members will receive three years of credit monitoring. They can also be reimbursed for time spent resolving issues related to the breach, and be compensated for losses, up to $10,000.
The big picture
This case points to the complicated relationship between third parties and the healthcare organizations they work with. Every organization should sign a business associate agreement to ensure that the third-party understands their obligations to data privacy. According to Paubox CEO Hoala Greevy, “Too many vendors still treat HIPAA as optional. If you’re handling PHI without encryption or a BAA in place, you’re creating liability.” Using third parties is hard to avoid; they can quickly ease the burden of administrative duties and help practices run more efficiently, but they can also introduce vulnerabilities. According to one 2025 mid-year report, 16% of data breaches are connected to business associates.
FAQs
Why is RFMG settling a suit that was connected to a breach at KMJ?
Ultimately, healthcare organizations like RFMG have an obligation to ensure that the business associates they work with are properly protecting and securing data. Practices should sign a business associate agreement outlining the roles and responsibilities of each party. While we don’t know specifically why RFMG is being sued over KMJ, it’s likely that evidence points to RFMG insufficiently protecting data.
When will class action members receive compensation?
The final approval hearing is scheduled for January 28th, 2026. Funds will likely take between a few weeks or a few months to become available to victims.
Abby Grifno
