Carolina Arthritis Associates Settles $600K Over 2024 Data Breach Impacting Nearly 40,000 Patients
Carolina Arthritis Associates (CAA) has agreed to a $600,000 settlement following a September 2024 cyberattack that exposed the sensitive data of approximately 39,961 individuals. The breach compromised personally identifiable information (PII) and protected health information (PHI), including names, dates of birth, Social Security numbers, health insurance details, medical records, and treatment histories.
The settlement resolves a class action lawsuit alleging CAA failed to implement adequate security measures to protect patient data. While the practice denies any wrongdoing, it opted to settle to avoid prolonged litigation.
Eligibility and Compensation
Affected individuals—those whose data was accessed or acquired in the breach—may file claims for financial compensation or medical monitoring services. Two payment options are available:
- Documented losses (up to $5,000): Reimbursement for out-of-pocket expenses incurred between September 27, 2024, and February 23, 2026, such as identity theft-related costs, credit monitoring fees, or document replacement.
- Alternate cash payment (~$100): A pro rata payment for claimants without documented losses, with the final amount determined by the number of valid claims.
All class members may also enroll in two years of medical monitoring through CyEx Medical Shield Complete, which includes $1 million in medical identity theft insurance, fraud resolution support, and monitoring for unauthorized health insurance or HSA activity.
Claim Process and Deadlines
Eligible individuals can submit claims online or via mail using the notice ID and PIN provided in settlement notices. Required documentation for reimbursement claims includes receipts, bank statements, or proof of fraudulent activity. Payments will be distributed via PayPal, Venmo, Zelle, virtual prepaid cards, or paper checks.
Key deadlines:
- Opt-out deadline: February 6, 2026
- Claim filing deadline: February 23, 2026
- Final approval hearing: March 10, 2026
- Payout distribution: Approximately 75 days after final court approval.
Settlement Fund Allocation
The $600,000 fund will cover:
- Settlement administration costs (TBD)
- Attorneys’ fees (up to $200,000)
- Class representative service awards ($10,000 total)
- Medical monitoring services (based on claims filed)
- Remaining funds for approved claimant payments.
The breach underscores the growing risks of healthcare data exposure and the financial consequences for organizations failing to secure sensitive patient information.
Source: https://www.claimdepot.com/settlements/caa-data-settlement
ARTHRITIS & RHEUMATOLOGY CENTER PC cybersecurity rating report: https://www.rankiteo.com/company/arthritis-&-rheumatology-center-pc
"id": "ART1766160621",
"linkid": "arthritis-&-rheumatology-center-pc",
"type": "Breach",
"date": "9/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '39,961',
'industry': 'Healthcare',
'name': 'Carolina Arthritis Associates PA',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Notices sent to affected individuals with claim '
'instructions',
'data_breach': {'number_of_records_exposed': '39,961',
'personally_identifiable_information': ['Names',
'Dates of birth',
'Social Security '
'numbers',
'Health insurance '
'information',
'Treatment '
'information',
'Medical records',
'Medical history'],
'sensitivity_of_data': 'High (SSNs, medical records, health '
'insurance information)',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Protected health information']},
'date_detected': '2024-09-27',
'description': 'Carolina Arthritis Associates PA agreed to pay $600,000 to '
'settle a class action lawsuit alleging it failed to '
'adequately protect patient data, resulting in a September '
'2024 cyberattack that compromised sensitive information. Data '
'exposed in the breach included names, dates of birth, Social '
'Security numbers, health insurance information, treatment '
'information, medical records, and medical history.',
'impact': {'data_compromised': 'Personally identifiable information and '
'protected health information',
'financial_loss': '$600,000 (settlement amount)',
'identity_theft_risk': 'High (due to exposure of SSNs and medical '
'records)',
'legal_liabilities': 'Class action lawsuit settlement'},
'investigation_status': 'Settled',
'post_incident_analysis': {'root_causes': 'Failure to adequately protect '
'patient data'},
'references': [{'source': 'Class action settlement notice'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit'},
'response': {'communication_strategy': 'Customer advisories sent to affected '
'individuals'},
'title': 'Carolina Arthritis Associates $600K Data Breach Settlement',
'type': 'Data Breach'}