In November 2024, Behavioral Health Resources experienced a data breach exposing sensitive personal and medical information of individuals whose data was stored by the organization. The breach allowed unauthorized access to files, leading to potential identity theft, fraud, and exposure of health-related details. A class action lawsuit was filed, alleging the company failed to implement adequate safeguards. The settlement includes up to $5,000 for documented out-of-pocket losses (e.g., credit monitoring, identity theft resolution), $125 for lost time, a pro rata cash payment (~$100), and three years of medical data monitoring (CyEx Medical Shield Total). The total settlement fund is $1.1 million, covering legal fees, administrative costs, and compensation for affected individuals. The breach highlights vulnerabilities in protecting highly sensitive health and personal data, with risks of financial fraud, reputational harm, and long-term privacy violations for victims.
Source: https://www.claimdepot.com/settlements/bhr-settlement
Behavioral Health Resources cybersecurity rating report: https://www.rankiteo.com/company/behavioral-health-resources
"id": "BEH3492934112125",
"linkid": "behavioral-health-resources",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'U.S. residents whose data was '
'potentially compromised in the '
'November 2024 breach',
'industry': 'Behavioral Health / Healthcare',
'location': 'United States',
'name': 'Behavioral Health Resources',
'type': 'Healthcare Provider'}],
'customer_advisories': {'eligibility_criteria': 'U.S. residents whose data '
'was potentially compromised '
'in the November 2024 '
'Behavioral Health Resources '
'breach.',
'how_to_file_a_claim': ['Submit a claim form online '
'or via mail by 2026-01-12.',
'Mailing address: BHR Data '
'Incident Settlement, c/o '
'Settlement Administrator, '
'P.O. Box 25226, Santa Ana, '
'CA 92799-9958.',
'Request a paper claim form '
'by calling 833-417-4912 or '
'emailing '
'[email protected].'],
'payout_timeline': 'Payments issued within 30 days '
'after court resolves appeals and '
'grants final approval '
'(post-2026-02-06).',
'required_documentation': {'lost_time_reimbursement': ['attestation '
'of '
'hours '
'spent',
'brief '
'description '
'of '
'tasks '
'performed'],
'medical_data_monitoring': 'None '
'(select '
'option '
'on '
'claim '
'form)',
'out_of_pocket_losses': ['receipts',
'invoices',
'bank '
'statements',
'other '
'records'],
'pro_rata_cash_payment': 'None '
'(select '
'option '
'on '
'claim '
'form)'}},
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to files)',
'personally_identifiable_information': ['health insurance IDs',
'medical record '
'numbers',
'potentially other '
'PII (e.g., names, '
'addresses, SSNs)'],
'sensitivity_of_data': 'High (includes medical and personally '
'identifiable information)',
'type_of_data_compromised': ['private information',
'medical records',
'personally identifiable '
'information (PII)',
'health insurance IDs',
'medical record numbers',
'health savings account '
'information']},
'date_detected': '2024-11-20',
'description': 'Behavioral Health Resources agreed to settle a class action '
'lawsuit alleging a November 2024 data incident allowed '
'unauthorized access to files containing private information. '
'The lawsuit claims the incident exposed sensitive data '
'belonging to individuals whose information Behavioral Health '
'Resources stored. A $1.1M settlement fund was established for '
'affected individuals, offering reimbursements, cash payments, '
'and medical data monitoring.',
'impact': {'brand_reputation_impact': 'Class action lawsuit and settlement '
'indicate reputational damage',
'data_compromised': ['private information',
'sensitive data',
'personally identifiable information (PII)',
'medical records'],
'financial_loss': {'administration_costs': 'To be determined',
'attorneys_expenses': '$25,000 (up to)',
'attorneys_fees': '$366,666.67 (up to)',
'claimant_payouts': 'Determined by number of '
'valid claims',
'medical_data_monitoring_cost': 'Determined by '
'number of '
'approved '
'claims',
'service_awards': '$12,500 (total for class '
'representatives)',
'settlement_fund': '$1,100,000'},
'identity_theft_risk': 'High (claims include reimbursement for '
'identity theft or fraud)',
'legal_liabilities': {'allegations': 'Failure to implement '
'reasonable safeguards to '
'protect personal information',
'settlement_agreement': '$1.1M fund'}},
'initial_access_broker': {'high_value_targets': ['private information',
'medical records',
'personally identifiable '
'information']},
'investigation_status': 'Settled (class action lawsuit resolved with $1.1M '
'fund; no further details on root cause investigation '
'provided)',
'lessons_learned': 'The incident highlights the importance of implementing '
'reasonable safeguards to protect sensitive personal and '
'medical information, as well as the financial and '
'reputational risks of failing to do so. Proactive '
'measures such as data encryption, access controls, and '
'monitoring could have mitigated the impact.',
'post_incident_analysis': {'corrective_actions': ['$1.1M settlement fund '
'established for affected '
'individuals.',
'No technical remediation '
'details provided in public '
'sources.'],
'root_causes': 'Alleged failure to implement '
'reasonable safeguards to protect '
'personal information (specific '
'technical root causes not '
'disclosed).'},
'recommendations': ['Implement stronger data protection safeguards, including '
'encryption for sensitive data.',
'Conduct regular security audits and vulnerability '
'assessments.',
'Enhance employee training on data security best '
'practices.',
'Establish a robust incident response plan to quickly '
'contain and mitigate breaches.',
'Monitor dark web and other sources for signs of exposed '
'data.',
'Provide timely and transparent communication to affected '
'individuals in the event of a breach.'],
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'BHR Data Incident Settlement Administrator'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit settled for '
'$1.1M']},
'response': {'communication_strategy': {'claim_deadline': '2026-01-12',
'final_approval_hearing': '2026-02-06',
'opt_out_deadline': '2025-12-13',
'settlement_notification': 'Class '
'members '
'notified '
'via '
'online/mail '
'claim '
'forms',
'support_channels': ['Phone: '
'833-417-4912',
'Email: '
'[email protected]',
'Mail: BHR Data '
'Incident '
'Settlement, '
'P.O. Box 25226, '
'Santa Ana, CA '
'92799-9958']}},
'stakeholder_advisories': {'claim_options': [{'details': 'Up to $5,000 for '
'documented, '
'unreimbursed '
'expenses (e.g., '
'identity theft '
'losses, credit '
'monitoring fees, '
'costs to replace '
'IDs). Eligible '
'period: 2024-11-20 '
'to 2026-01-12.',
'proof_required': True,
'type': 'Out-of-pocket losses'},
{'details': 'Up to $125 (5 hours '
'at $25/hour) for '
'time spent '
'addressing the '
'incident (e.g., '
'changing passwords, '
'investigating '
'fraud).',
'proof_required': True,
'type': 'Lost time '
'reimbursement'},
{'details': 'Estimated $100 '
'(final amount '
'depends on valid '
'claims).',
'proof_required': False,
'type': 'Pro rata cash payment'},
{'details': '3 years of CyEx '
'Medical Shield '
'Total (includes '
'monitoring for '
'health insurance ID '
'exposure, medical '
'record number '
'exposure, and $1M '
'in medical identity '
'theft insurance).',
'proof_required': False,
'type': 'Medical data '
'monitoring'}],
'deadlines': {'file_claim': '2026-01-12',
'final_approval_hearing': '2026-02-06',
'opt_out': '2025-12-13'},
'eligible_class_members': 'U.S. residents whose '
'data was potentially '
'compromised in the '
'November 2024 breach',
'payout_methods': ['Digital payment (online claims '
'only)',
'Physical check']},
'title': 'Behavioral Health Resources $1.1M Data Breach Settlement',
'type': 'Data Breach'}