One day you are filling a prescription or checking lab results online, and the next, you receive a notice that hackers exposed your medical records in a cyberattack.
Health systems built for convenience and coordination have also created a treasure trove for criminals, and in recent years, millions of patients have felt the fallout.
Still, a breach doesn't leave you powerless. Patients today can take clear steps to protect their data, act quickly, and even pursue compensation. This article explains how health data breaches happen, why they matter, and what you can do if your information ends up in one, including how to file a health data breach claim.
Key takeaways:
- Health data breaches are widespread and damaging: Millions of patient records are exposed every year, often through hacking, ransomware, or insider mistakes. Breaches can involve Social Security numbers, medical histories, and even financial information, making victims vulnerable to fraud and identity theft.
- The consequences extend beyond stolen files: Victims may face fraudulent bills, fake prescriptions, and emotional stress. Healthcare providers also suffer from disrupted operations, costly investigations, and regulatory fines that can reach into the millions.
- Patients have rights and protections: Federal law requires healthcare entities to notify patients within 60 days of a breach. Victims often receive free credit monitoring, and they can place fraud alerts or freezes on their credit, file reports with the FTC, and request corrections to their medical records.
- Filing a claim takes organization but pays off: To seek compensation, you need to confirm you were affected, track down the relevant lawsuit, read your class notice carefully, submit your claim form on time, and document any losses.
- Settlemate simplifies the process: Many people miss out on compensation because the paperwork and deadlines feel overwhelming. Settlemate automatically matches you to class action settlements, pre-fills claim forms, tracks deadlines, and focuses on getting you paid.
What is a health data breach?
A health data breach occurs when protected health information (PHI), such as medical records, billing details, Social Security numbers, or insurance information, is accessed, stolen, or disclosed without authorization.
The federal Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information (PHI) and requires covered entities, including hospitals, clinics, and insurers, to safeguard it.
HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) strengthened HIPAA by adding breach notification rules and increasing penalties.
The most common causes of health data breaches
Common causes of health data breaches include:
- Hacking and ransomware: By far the largest category, attacks can involve encrypting systems for ransom or exfiltrating data to sell or hold hostage. Hackers or ransomware caused roughly 80% of large healthcare breaches in recent years.
- Insider error or theft: An employee accidentally emails patient lists to the wrong recipient, misplaces a laptop, or even steals data. More minor breaches may occur if staff violate rules or take data home.
- Lost or stolen devices: Laptops, USB drives, or paper records left in unsecured locations can contain unencrypted PHI. If recovered by thieves, that is a reportable breach.
- Third-party vulnerabilities: Many healthcare entities use cloud services or billing vendors. For example, the Change Healthcare incident shows how a breach at a business associate can cascade through the healthcare system.
Regardless of cause, a health data breach occurs when someone gains unauthorized access to your medical information, thereby putting your privacy at risk.
Recent healthcare breaches statistics and examples
In 2024, data breaches exposed or stole protected health information for about 276,775,457 individuals: that's roughly 758,288 records per day.
Health data breaches affect huge numbers of people. Federal records show that major healthcare breaches impacted 172 million individuals in 2024, which is more than half the U.S. population.
These include the largest breach in U.S. history: the UnitedHealth Group/Change Healthcare attack. In that 2024 incident, hackers (the BlackCat ransomware group) stole names, insurance IDs, diagnoses, treatments, Social Security numbers, and billing data.
As of July 2025, officials estimate that the Change Healthcare breach affected approximately 192.7 million individuals, a number comparable to the U.S. adult population.
Other notable examples include:
- Lehigh Valley Health Network (2023): A Russian ransomware group stole and published cancer patients' medical records and radiation images. In November 2024, the court approved a $65 million settlement for 134,000 patients. Depending on the severity of the impact, class members received between $50,000 and $80,000 each.
- Arisa Health (Arkansas, 2024): Hackers exposed sensitive personal identifiers belonging to more than 12,000 patients. In 2025, Arisa agreed to a settlement that pays up to $5,000 per person for losses, plus a $70 payment to all class members and free credit monitoring. The total payout adds up to about $1.9 million.
- Octapharma Plasma (2024): A breach at a plasma donation center affected donors across the U.S. In 2025, the company settled for $2.55 million. Victims can either claim up to $5,000 in fraud or ID theft reimbursement or take a $100 cash payment. California residents qualify for an extra $50 bonus, and all class members receive three years of identity monitoring. The claim deadline is November 14, 2025.
- Weirton Medical Center (West Virginia, 2024): A ransomware attack led to four lawsuits that merged into one case. The 2025 settlement provides up to $5,000 reimbursement for documented losses or a $50 cash payment to about 27,000 patients. The claim deadline is November 5, 2025.
What healthcare breaches expose and how they affect patients
When health data leaks, the impact cuts deeper than most people expect. Here's what usually gets exposed:
- Identity data: Names, addresses, birth dates, Social Security numbers, and driver's license details can be bundled into "fullz" identity kits and sold on the dark web. Criminals use these to commit credit fraud or long-term identity theft.
- Insurance and treatment data: Policy numbers, provider IDs, and diagnosis or treatment codes open the door to medical identity theft. Fraudsters may file false claims, bill Medicare, or even fill fake prescriptions in a victim's name.
- Financial details: Even fragments of bank account or payment data make it easier for attackers to take over accounts or launch highly targeted phishing scams.
The consequences of health data breaches reach far beyond stolen files.
Criminals can use patient information for identity theft, unemployment scams, or extortion. Some exploit detailed medical records for Medicare fraud or to file fake prescriptions. For victims, the fallout often includes financial losses, the hassle of replacing documents, and the emotional strain of losing privacy.
Healthcare providers and insurers face heavy costs too. Breaches disrupt patient care, force expensive investigations, and can trigger massive regulatory penalties. Some HIPAA fines have climbed into the millions per violation tier. In 2024 alone, regulators fined seven U.S. health systems for ransomware-related breaches, with penalties reaching up to $950,000 each.
Legal protections for your health data
A patchwork of U.S. laws sets strict rules for how organizations must handle health information.
At the center is the Health Insurance Portability and Accountability Act (HIPAA), which created national standards for protecting patient health information (PHI). Violations can lead to civil or even criminal penalties.
The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA by:
- Raising penalties: Fines jumped dramatically, reaching up to $1.5 million per year, and state attorneys general gained the power to sue on behalf of residents.
- Requiring breach notification: Organizations must notify affected individuals, the federal government, and the media (if over 500 people are affected) within 60 days of discovering a breach. Business associates, like IT vendors, must also report violations to the healthcare organizations they work with.
Your rights after a breach
If your health data is exposed, you have protections and options:
- Notification: You should receive a written notice by mail or email explaining what happened and which of your information was involved.
- Free monitoring: Many notices include free credit monitoring or identity theft protection for at least a year. If not offered, you still have the legal right to place a fraud alert or credit freeze with the three major credit bureaus.
- Report fraud: If your data is misused, report it to the FTC (IdentityTheft.gov) and your state's attorney general. Keep documentation of your reports, as it may support future claims.
- File a complaint: You can file a complaint with the HHS Office for Civil Rights (OCR) if you believe an organization mishandled a breach. OCR can investigate and fine organizations, though it does not award you money.
- Review your records: You have the right to access and correct your medical records. After a breach, you can also request an "accounting of disclosures" to see who has accessed your PHI.
While HIPAA itself does not give patients the right to sue for damages in federal court, many victims pursue compensation through state privacy laws or class action lawsuits.
How to file a health data breach claim for compensation
Filing a health data breach claim is not complicated, but it does require organization and attention to detail. Here's how to file a health data breach claim step by step:
1. Confirm you were affected
The first step is making sure your information was actually part of the breach. Companies usually send letters or emails to notify affected patients. Save this notice carefully.
You can also search the HHS OCR Breach Portal (ocrportal.hhs.gov) to verify whether your provider is listed. If you've noticed unusual charges, new accounts, or any other signs of misuse, keep those records as evidence.
2. Research lawsuits and settlements
When a breach impacts thousands or millions of people, law firms often file class-action lawsuits. You can find them by searching for "[Company Name] data breach lawsuit" or by checking legal news.
For example, the Change Healthcare breach quickly grew into hundreds of lawsuits consolidated into a federal MDL. If you qualify as a class member, you'll eventually receive instructions on how to participate.
3. Review the class notice
If you're part of the affected group, you'll get a class-action notice by mail or email. This notice is critical - it spells out your rights, the benefits available, and the deadlines to respond.
Key details to look for include:
- The opt-out deadline is the last day when you can pursue your own lawsuit.
- The deadline for submitting paperwork for compensation is the claim deadline.
Most people automatically become class members and need to act only if they want to receive money or benefits.
4. File your claim form
Once a court approves a settlement, you'll usually need to complete a claim form. These forms are available online or by mail, often requiring a unique ID and PIN included in the notice.
Follow the instructions exactly and submit before the deadline. Always save a copy of your submission and confirmation number.
5. Document your losses
Many settlements offer two options:
- A flat cash payment for all claimants, requiring no proof.
- A larger reimbursement for those who submit documentation of losses.
Proof may include:
- Receipts for replacing IDs or paying fees.
- Bank or credit card statements showing fraudulent charges.
- Evidence of time spent resolving fraud.
The Arisa Health settlement, for example, provided $70 with no documentation, but up to $5,000 if patients submitted proof of specific losses.
6. Monitor your claim
Do not assume the process ends after you file.
Settlement administrators may prorate payments depending on how many claims are submitted, and delays are common. Check the official settlement website for updates and keep an eye on your email for any requests for more information.
Protecting yourself after a breach
If you learn your health data was breached, take immediate action:
- Use offered monitoring: Sign up for any free credit or identity monitoring that the breached company provides. These services can alert you to suspicious activity.
- Order your credit reports: You are entitled to one free credit report per year from each bureau. Request them right away, review carefully, and check again in six months. Report any unfamiliar accounts or inquiries as fraud.
- Place a fraud alert or credit freeze: A fraud alert makes it harder for criminals to open accounts in your name. A credit freeze blocks new accounts entirely until you lift it. Freezing is usually the safest step if your Social Security number was exposed.
- Change passwords and enable 2FA: Update logins for patient portals, billing systems, and other accounts linked to the breach. Use strong, unique passwords and enable two-factor authentication wherever available.
- Watch for phishing attempts: Be cautious of emails, texts, or calls pretending to be from your provider. Do not click on unfamiliar links or share personal details. Confirm communications directly with the organization.
- Keep documentation: Save breach notices, correspondence, and evidence of fraud. Hold on to receipts for costs like replacing IDs or paying fees, since these may be reimbursable in a settlement.
- Report misuse: File a report at IdentityTheft.gov and notify your state attorney general if someone uses your data fraudulently. For healthcare-specific issues, you can also submit a complaint to the HHS Office for Civil Rights at hhs.gov.
Why choose Settlemate to file your health data breach claim
Health data breaches can leave you frustrated and overwhelmed. Many people never claim the money they deserve because the process feels too complicated.
Settlemate simplifies the process by guiding you step by step and helping you navigate from breach notice to payout.
Here's what sets Settlemate apart:
- Automatic claim matching: Settlemate checks an active database of settlements and lawsuits to show you only the health data breach claims you're most likely eligible for. No more guessing or missing out.
- Simplified filing: Settlemate pre-fills the paperwork and directs you to the official claim site, eliminating the need to chase down scattered forms. You keep control, but the process feels simple.
- Deadline and status tracking: Settlemate monitors claim windows, proof requirements, and payment timelines. You do not have to worry about missing a date or losing your spot in line.
- Focus on payouts: Filing is only half the journey. Settlemate keeps track of cash benefits, credit monitoring offers, and reimbursement options until you actually claim your compensation.
When a health data breach leads to a class action settlement, you have the power to act and claim the compensation you deserve. Settlemate helps you take that step and ensures you get your share.
Check your eligibility today with Settlemate and see if you qualify for a health data breach claim.
