How to file a health data breach claim

A health data breach can expose some of your most sensitive personal information, including medical records, insurance details, and Social Security numbers. When healthcare providers, insurers, or other organizations fail to protect that data, affected individuals may be entitled to compensation through individual lawsuits or class action settlements.

But there’s a catch: medical data breach compensation is not automatic. In most cases, you must actively file a claim to recover damages tied to the breach.

This guide explains what qualifies as a breach of health information and how to file a health data breach claim. You will also learn what steps you can take to pursue the compensation you may be owed.

Can you file a medical data breach claim?

If your medical data has been exposed or mishandled, you can file a complaint with the Office for Civil Rights (OCR) and potentially qualify for compensation. You can usually submit your complaint in two situations:

A healthcare provider, insurer, or their partner violated your or someone else’s health information privacy rights or failed to follow privacy and security rules.
There’s been a violation involving substance use disorder (SUD) treatment records under 42 CFR part 2 (usually referred to as “Part 2”).

Anyone who suspects a violation of health data privacy can file a complaint. The OCR reviews these complaints and determines if an investigation is warranted. Note that this government body can only investigate HIPAA-covered entities.

Here’s who can file a complaint and which entities the OCR may investigate:

HIPAA-covered entities	Who can file a complaint
Hospitals Clinics Doctors Dentists Psychologists Chiropractors Nursing homes Pharmacies Healthcare insurance companies Medicaid, Medicare, and other government programs Company health plans	Patients Personal representatives (parents, legal guardians, or anyone authorized to act on behalf of a patient) Healthcare employees who notice improper handling or internal compliance issues Third parties (family members or advocates)

However, filing a complaint doesn’t typically lead to compensation. That’s why many people want to know if they can take legal action.

HIPAA itself doesn’t give individuals the right to file a lawsuit for damages, but you can sue over a medical data breach under state laws.

Before you decide what to do next, you need to understand what constitutes a breach of health information.

What is a data breach in healthcare?

A healthcare data breach happens when protected health information (PHI) is accessed, shared, or exposed without authorization.

Check out the type of information that’s protected and common examples of medical data breaches:

Type of PHI	Common medical data breaches
Medical records Insurance details Test results and diagnoses Personal identifiers, such as: Names Addresses Social Security numbers	A hacker gaining access to hospital systems An employee viewing or sharing patient records without permission Lost or stolen devices containing patient data Sensitive information being sent to the wrong person

‍

How to file a medical records data breach claim

If your medical data has been exposed, there are two legal paths you can take: a class action or an individual lawsuit. Here’s how they compare:

Factor	Individual lawsuit	Class action lawsuit
Who files the case	You or a small group on your behalf	One or more lead plaintiffs on behalf of a large group
Legal basis	State laws	Same legal basis but applied to a group with similar claims
Complexity	More straightforward procedurally, but requires building your own case	More complex to initiate, but handled by attorneys
Cost	Potential legal fees, filing costs, and other expenses	Typically no upfront cost for class members; lawyers work on contingency, and legal fees are deducted from the settlement
Time and effort	High; requires active involvement	Low for most participants
Control over the case	Full control over decisions, strategy, and settlement	Very limited control; decisions are made by lead plaintiffs and attorneys
Payout process	Negotiated or awarded individually	Distributed through a settlement process , usually via claim forms
Settlement approval	Court approval not required	Must be approved by the court
Risk	High risk; no financial recovery in case of an unsuccessful verdict	Low risk ; no direct cost to participate

Once you understand these paths, there are three ways you can pursue health data breach compensation:

File an individual lawsuit
Start a class action lawsuit
Join an existing class action lawsuit

Note: For most people, joining a class action is the more practical option. Although class actions can take months (even years), they require far less of your time, effort, and upfront cost.

How to file an individual health data breach lawsuit

An individual lawsuit involves taking legal action on your own against the healthcare provider, insurer, or vendor responsible for the breach. Most individual lawsuits are brought under state laws, such as negligence or failure to protect sensitive data.

You can choose to represent yourself, which is known as filing pro se, if you want to stay in control of the case or avoid legal fees. However, most claims require working with an attorney, particularly if you’re trying to prove damages.

Here is what you should typically do:

File a complaint with the OCR to formally report the violation.
Consult a lawyer experienced in privacy or healthcare data breaches.
Build a case demonstrating how the breach caused harm (e.g., fraud, identity theft, financial loss).

Filing an individual lawsuit can lead to higher compensation, but it comes with trade-offs, such as:

Bearing the burden of proof for your specific losses
Assuming full responsibility for legal costs
Committing significant time to the process

There’s also no guarantee of success.

If others were affected by the same breach, it may make more sense to pursue a group claim instead by starting a class action lawsuit.

How to start a health data breach class action lawsuit

If a breach has just been discovered and no other cases have been filed yet, you may consider initiating a class action lawsuit. This legal proceeding allows a group of people affected by a common issue to sue together. Instead of handling dozens or thousands of individual cases, the court resolves the claims collectively in a single case.

Starting a class action involves several steps:

Hire a class action attorney: These cases are complex, so you can’t file a class action lawsuit without a lawyer. An experienced attorney manages all aspects of the case, from evidence gathering to court filings.
Confirm there’s a shared issue: You need to demonstrate that multiple people were affected in a similar way. There’s no official minimum number of people required to start a class action lawsuit, but courts rarely certify a class with under 20 participants.
Identify lead plaintiffs: One or more individuals represent the entire group and work closely with the lawyers.
File the complaint and seek class certification: The court must approve the case as a class action by confirming that the group is large enough and shares common claims.
Notify affected individuals: Once certified, potential class members are informed by mail, email, or public notices.

From there, the case moves forward, often ending in a settlement rather than a trial. If successful, compensation is distributed across all eligible members.

How to join an existing class action lawsuit

If more cases have been filed about a single breach, you can join the existing class action lawsuit. Doing so is typically the simplest and most common way to get compensation after a medical data breach.

You usually don't even have to sign up to be included. If you meet the criteria, you’re automatically considered part of the class. The lawyers handling the case represent you, so you don’t need to hire your own.

However, to receive your share of the settlement, you have to take action, more specifically:

Submit a claim form
Provide basic proof in some cases
Meet a strict deadline

Courts try to notify eligible individuals through email, mail, or public announcements. But in large cases, the notices may not reach everyone, especially if contact information is outdated or incomplete.

That means you could be eligible for medical data breach compensation and never realize it. To make sure this doesn’t happen, you can rely on Settlemate. The app is designed to help you get what you’re owed: it tracks settlements and deadlines, confirms your eligibility, and helps you file a health data breach claim in minutes.

@katie.cannonxo Replying to @andrew.gs2 here’s how I file for class action lawsuits 💸 #classactionsettlement #settlementmoney #settlemate #sidehustleideas #sahmsoftiktok #classactionlawsuits ♬ original sound - Katie

How does Settlemate help with medical data breach compensation claims?

Even if you find out that your health data was compromised in a breach and there’s a class action settlement, you won’t see a cent of the compensation unless you file a claim. And that means filling out forms, meeting deadlines, and figuring out what proof (if any) is necessary.

That’s why so many people never follow through, especially if it seems like the amount you might get isn’t worth the hassle. But when enough small payouts go unclaimed, that can add up to hundreds or even thousands of dollars left behind over time.

Settlemate removes the friction from filing a health data breach claim, offering medical data breach claim assistance. Here’s how it works:

Automatic settlement detection: With your permission, Settlemate scans your emails and activity to identify medical data breach settlements you may qualify for, so you don’t have to search for them yourself.
Pre-filled claim forms: Instead of starting from scratch, Settlemate prepares claim forms for you whenever possible. You just review and submit in minutes.
Clear proof guidance: If a claim requires documentation, the app tells you exactly what to provide.
Deadlines and status tracking: Stay on top of filing deadlines, claim updates, and payout timelines with real-time notifications.
Payout estimates: Settlemate lets you see the potential medical data breach compensation amount before you file.

Settlemate doesn’t change the outcome of a settlement, but it makes sure you don’t miss the chance to claim what you’re entitled to.

Get started by downloading Settlemate from the App Store or Google Play and creating your account.

If you’re not sure whether it’s worth it, there’s no real downside. If your subscription doesn’t pay for itself within the first year, you’re eligible for a full refund.

Frequently asked questions

Still have questions about medical data breach compensation claims? We’ve answered some of the most frequent queries.

Is it worth suing over a data breach?

If you’ve experienced clear, documented harm, like identity theft, fraud, or significant financial loss, an individual lawsuit may be worth considering. You may recover higher compensation than with a class action lawsuit.

However, most medical data breach cases don’t result in severe, provable damages for each individual. That makes these lawsuits harder to win and often not worth the time and legal costs.

That’s why medical data breach cases often transition into class actions. They allow large groups of affected individuals to seek compensation together, even if harm is harder to quantify on an individual level. It’s a more practical way to claim compensation without taking on legal risk or expense.

What is the average medical data breach compensation amount?

There’s no fixed average payout for a HIPAA violation because compensation usually results from settlements, not direct HIPAA lawsuits. The amount you receive depends on the size of the settlement and the number of people filing a claim.

For example:

The Arisa health data breach settlement totaled $1.9 million, with payouts of about $70 distributed among affected individuals, who are also entitled to three years of credit monitoring services.
The HealthEC data breach settlement reached $5.48 million, shared across a large group.
In the MyChart data breach cases, settlements are in the millions. One agreement involving BJC HealthCare reached $5.5 million, with the potential to increase to $9.25 million.

In most cases, individual payouts range from $50 to a few hundred dollars for basic claims. Reimbursements are possible if you provide proof of financial losses.

Large class action settlements often get divided among thousands or even millions of individuals, which keeps individual payouts lower.

Will I pay taxes on a settlement?

The tax consequences of a settlement depend on what the settlement is compensating you for. In general, the IRS evaluates the reason you received monetary compensation:

Not taxable: Physical injury or illness
Taxable: Emotional distress not tied to physical harm, lost wages, or punitive damages

Most medical data breach settlements fall into the grey area. If the payout is meant to compensate for financial losses or time and effort spent in response to the breach, it may be considered taxable income.

An additional complication is that even if legal fees are deducted before you receive your payout, the IRS may still tax the full amount.

It’s best to check the settlement agreement or consult a tax professional if you’re unsure whether you should report settlement payments on your tax return.

Who can help file a claim for a medical data breach?

You have a few options, depending on how you want to approach the process:

Class action attorneys handle lawsuits and settlements on behalf of large groups of plaintiffs. If you’re part of a class action, you typically don’t need to hire your own lawyer.
Government agencies like the OCR can investigate complaints, but they don’t file compensation claims for you.
Apps like Settlemate help you claim your share of settlements with minimal involvement on your part.

How to file a health data breach claim: A step-by-step process