In November 2023, CarePro Health Services experienced a data breach where unauthorized individuals accessed its computer systems, compromising the sensitive personal and health information of approximately 151,499 individuals. The exposed data included full names, contact details, dates of birth, state-issued IDs (driver’s license, Social Security numbers), financial account information, and medical/health insurance records. The breach led to a $1.3 million class-action settlement, offering affected individuals up to $5,000 in reimbursement for fraud-related losses, two years of free credit monitoring, and a pro rata cash payment (~$100 per claimant). The lawsuit alleged negligence, breach of contract, and violations of data protection laws, though CarePro denied wrongdoing. The incident highlights significant risks to patient privacy, financial security, and identity theft, with long-term reputational and operational consequences for the healthcare provider.
Source: https://www.claimdepot.com/settlements/carepro-class-action
TPRM report: https://www.rankiteo.com/company/carepro-home-health-hospice
"id": "car0192901110625",
"linkid": "carepro-home-health-hospice",
"type": "Breach",
"date": "11/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '151,499 individuals',
'industry': 'Healthcare',
'name': 'CarePro Health Services (C.R. Pharmacy '
'Services Inc.)',
'type': 'Healthcare Provider / Pharmacy Services'}],
'customer_advisories': ['Eligibility for reimbursement (up to $5,000)',
'Pro rata cash payment (~$100)',
'2 years of free credit monitoring and identity theft '
'protection',
'Claim submission deadline: December 3, 2025'],
'data_breach': {'data_exfiltration': 'Likely (unauthorized access confirmed)',
'number_of_records_exposed': '151,499',
'personally_identifiable_information': ['Full names',
'Dates of birth',
'Social Security '
'numbers',
'Driver’s license '
'numbers',
'State-issued ID '
'numbers',
'Contact information'],
'sensitivity_of_data': 'High (includes SSNs, medical records, '
'financial data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Information']},
'date_detected': '2023-11-16',
'description': 'C.R. Pharmacy Services Inc., doing business as CarePro Health '
'Services, agreed to pay $1.3 million to resolve a class '
'action lawsuit alleging it failed to adequately safeguard '
'sensitive personal and health information, resulting in '
'unauthorized access to patient data in November 2023. The '
'breach impacted approximately 151,499 individuals, exposing '
'personal and health information such as full names, Social '
'Security numbers, financial account details, and medical '
'records. Affected individuals are eligible for reimbursement '
'(up to $5,000), credit monitoring, and pro rata cash '
'payments.',
'impact': {'brand_reputation_impact': 'Negative (settlement and public '
'disclosure of breach)',
'customer_complaints': 'Class action lawsuit filed by affected '
'individuals',
'data_compromised': ['Full names',
'Contact information',
'Dates of birth',
'State-issued identification numbers',
'Social Security numbers',
'Driver’s license numbers',
'Financial account information',
'Medical and health insurance information'],
'financial_loss': '$1.3 million (settlement fund)',
'identity_theft_risk': 'High (PII and financial data exposed)',
'legal_liabilities': ['Class action lawsuit (negligence, breach of '
'contract, violation of Iowa consumer '
'protection and data breach laws)',
'$1.3 million settlement'],
'payment_information_risk': 'High (financial account information '
'exposed)',
'systems_affected': ['Computer systems (CarePro)']},
'initial_access_broker': {'high_value_targets': ['Patient PII/PHI and '
'financial data']},
'investigation_status': 'Resolved (settlement reached)',
'post_incident_analysis': {'corrective_actions': ['$1.3 million settlement '
'fund for affected '
'individuals',
'Credit monitoring and '
'identity theft protection '
'services offered'],
'root_causes': ['Inadequate safeguards for '
'sensitive personal and health '
'information']},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'CarePro Data Incident Claims Administrator'}],
'regulatory_compliance': {'fines_imposed': '$1.3 million (settlement)',
'legal_actions': ['Class action lawsuit',
'Settlement agreement (no '
'admission of wrongdoing)'],
'regulations_violated': ['Iowa consumer protection '
'laws',
'Data breach notification '
'laws']},
'response': {'communication_strategy': ['Notice sent to affected individuals',
'Class action settlement announcement',
'Public claim submission process '
'(online/mail)']},
'stakeholder_advisories': 'Notice sent to 151,499 affected individuals',
'threat_actor': 'Unauthorized individuals',
'title': 'CarePro Health Services $1.3M Data Breach Settlement',
'type': ['Data Breach', 'Class Action Lawsuit']}