On or about **January 24, 2024**, GHCSCW experienced a **data breach** exposing the **personal and protected health information (PHI)** of approximately **533,809 members**. The compromised data included sensitive details such as **personally identifiable information (PII) and medical records**, leading to potential risks of **identity theft, fraud, and unauthorized access to health data**. The breach prompted a **$3.5 million class-action settlement**, offering affected individuals **three years of medical/cybersecurity monitoring (CyEx services)** and **cash payouts**—either **documented losses up to $5,000** or an **estimated $100 pro rata payment**. The lawsuit alleged **negligence, breach of fiduciary duty, and failure to implement adequate security measures**, though GHCSCW denied wrongdoing. The incident underscored vulnerabilities in **healthcare data protection**, with long-term repercussions for trust and regulatory compliance.
Source: https://www.claimdepot.com/settlements/ghc-scw-settlement
Group Health Cooperative of South Central Wisconsin cybersecurity rating report: https://www.rankiteo.com/company/group-health-cooperative-of-south-central-wisconsin
"id": "GRO1092510111225",
"linkid": "group-health-cooperative-of-south-central-wisconsin",
"type": "Breach",
"date": "1/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '533,809',
'industry': 'Healthcare',
'location': 'South Central Wisconsin, USA',
'name': 'Group Health Cooperative of South Central '
'Wisconsin (GHCSCW)',
'type': 'Healthcare Provider'}],
'customer_advisories': ['Eligibility for $5,000 (documented losses) or $100 '
'(pro rata) cash payments',
'Three years of CyEx Medical monitoring services',
'Deadline to file claims: 2026-01-20'],
'data_breach': {'data_exfiltration': 'Likely (dark web scanning included in '
'settlement services)',
'number_of_records_exposed': '533,809',
'personally_identifiable_information': ['Names',
'Health records',
'Potentially '
'financial data '
'(fraud risks '
'mentioned)'],
'sensitivity_of_data': 'High (includes health and personal '
'data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2024-01-24',
'description': 'Group Health Cooperative of South Central Wisconsin (GHCSCW) '
'agreed to pay $3.50 million to resolve a class action lawsuit '
'alleging failure to prevent a data breach on or about Jan. '
'24, 2024, which exposed sensitive personal and health '
'information of approximately 533,809 members. The breach led '
'to potential identity theft risks, with affected individuals '
'eligible for up to $5,000 in documented losses or an '
'estimated $100 cash payment, along with three years of CyEx '
'Medical monitoring services.',
'impact': {'brand_reputation_impact': 'Negative (lawsuit and settlement '
'indicate reputational harm)',
'customer_complaints': 'Class action lawsuit filed by affected '
'members',
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)'],
'financial_loss': '$3,500,000 (settlement fund)',
'identity_theft_risk': 'High (dark web scanning and identity theft '
'insurance offered as part of settlement)',
'legal_liabilities': "$3,500,000 settlement, attorneys' fees (up "
'to $1,166,666.67), potential additional '
'expenses',
'systems_affected': ['Network systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (dark web scanning '
'included in settlement)',
'high_value_targets': ['Personal and health data of '
'members']},
'investigation_status': 'Settled (final approval hearing on 2026-02-04)',
'post_incident_analysis': {'corrective_actions': ['Settlement payments',
'Credit monitoring services',
'Denial of wrongdoing but '
'agreement to settle to '
'avoid litigation costs']},
'references': [{'source': 'Class Action Settlement Notice (GHC-SCW Data '
'Incident)'},
{'source': 'Kroll Settlement Administration LLC'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit '
'(allegations: negligence, breach '
'of fiduciary duty, breach of '
'implied contract, unjust '
'enrichment)']},
'response': {'communication_strategy': ['Notice sent to affected individuals',
'Official settlement website for '
'claims',
'Mail-in claim forms'],
'recovery_measures': ['$3.5M settlement fund for affected '
'members',
'Three years of CyEx Medical monitoring '
'services (credit monitoring, dark web '
'scanning, identity theft insurance)'],
'third_party_assistance': ['Kroll Settlement Administration LLC '
'(claims administration)']},
'stakeholder_advisories': ['Notice to affected members',
'Settlement website and claim forms'],
'title': 'GHC-SCW $3.5M Data Breach Class Action Settlement',
'type': 'Data Breach'}