Mindpath Health (Community Psychiatry Management LLC)

In March and July 2022, unauthorized parties accessed **Mindpath Health’s Microsoft Office 365 business email accounts**, exposing **personally identifiable information (PII) and protected health information (PHI)** of current and former patients. The breach led to a **$3.5 million class-action settlement**, covering claims for credit monitoring, documented financial losses (up to $1,500 for ordinary and $10,000 for extraordinary losses), lost time compensation ($30/hour, max $300), and pro rata cash payments (~$50). The exposed data included sensitive patient records, triggering risks of **identity theft, fraud, and reputational harm**. California residents received additional statutory payments due to stricter state privacy laws. The breach affected individuals who received services before August 2022 and were notified around January 2023. Mindpath denied wrongdoing but settled to avoid litigation costs.

Source: https://www.claimdepot.com/settlements/mind-path-settlement

Mindpath Health cybersecurity rating report: https://www.rankiteo.com/company/mindpath-health

"id": "MIN1302913111925",
"linkid": "mindpath-health",
"type": "Breach",
"date": "7/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Current and former patients who '
                                              'received services before August '
                                              '2022',
                        'industry': 'Healthcare (Mental Health Services)',
                        'location': 'United States (specific locations '
                                    'unspecified)',
                        'name': 'Mindpath Health (Community Psychiatry '
                                'Management LLC)',
                        'type': 'Healthcare Provider'}],
 'attack_vector': 'Unauthorized access to Microsoft Office 365 business email '
                  'accounts',
 'customer_advisories': 'Eligible individuals can submit claims for '
                        'compensation (up to $1,500 for documented losses, '
                        '$300 for lost time, $10,000 for extraordinary losses) '
                        'or credit monitoring (3 years). Alternative cash '
                        'payment of ~$50 available. California subclass '
                        'members receive additional statutory payment.',
 'data_breach': {'data_exfiltration': 'Yes (email accounts accessed)',
                 'personally_identifiable_information': 'Yes (included in '
                                                        'exposed data)',
                 'sensitivity_of_data': 'High (health and personal data)',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information (PII)',
                                              'Protected health information '
                                              '(PHI)']},
 'date_publicly_disclosed': '2023-01',
 'description': 'Current and former patients of Mindpath Health (operating as '
                'Community Psychiatry Management LLC) were affected by a data '
                'breach in March and July 2022, where unauthorized parties '
                'accessed Microsoft Office 365 business email accounts, '
                'exposing personally identifiable and protected health '
                'information. The company agreed to a $3.5 million class '
                'action settlement, offering compensation and credit '
                'monitoring to affected individuals.',
 'impact': {'brand_reputation_impact': 'Negative (class action lawsuit and '
                                       'settlement)',
            'data_compromised': ['Personally identifiable information (PII)',
                                 'Protected health information (PHI)'],
            'financial_loss': '$3.5 million (settlement fund)',
            'identity_theft_risk': 'High (PII and PHI exposed)',
            'legal_liabilities': "$3.5 million settlement, attorneys' fees "
                                 '($1,166,666.67), administrative costs '
                                 '($202,900)',
            'systems_affected': ['Microsoft Office 365 business email '
                                 'accounts']},
 'initial_access_broker': {'entry_point': 'Microsoft Office 365 business email '
                                          'accounts',
                           'high_value_targets': ['Patient PII',
                                                  'Protected health '
                                                  'information (PHI)']},
 'investigation_status': 'Settled (class action lawsuit)',
 'references': [{'source': 'Class Action Settlement Notice (Mindpath Health '
                           'Data Incident)'},
                {'source': 'Settlement Administrator: Mindpath Data Incident '
                           'c/o Settlement Administrator'}],
 'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
                                            '$3.5 million'},
 'response': {'communication_strategy': 'Data breach notices sent to affected '
                                        'individuals in January 2023; class '
                                        'action settlement website and claim '
                                        'process established.'},
 'stakeholder_advisories': 'Class members notified via mail (January 2023) and '
                           'settlement website.',
 'threat_actor': 'Unauthorized parties (unknown)',
 'title': 'Mindpath Health $3.5M Data Breach Settlement',
 'type': ['Data Breach', 'Class Action Settlement']}