Breach cyber

Mindpath Health

Nov 27, 2025 2 min read
Mindpath Health

Mindpath Health, a US-based mental health provider offering in-person and telehealth services, experienced a data breach in March and July 2022 when an unauthorized third party accessed its Microsoft Office 365 business email accounts. The incident exposed personal and protected health information (PHI) of thousands of patients, including sensitive medical and identifying details. Affected individuals filed a class-action lawsuit, alleging negligence in cybersecurity measures that could have prevented the breach. While Mindpath denied wrongdoing, it agreed to a $3.5 million settlement, offering victims cash payments (based on time/lost wages), three years of credit monitoring, and a $50 statutory payout for California residents. The breach led to legal repercussions, reputational damage, and financial compensation obligations, with potential long-term risks like identity theft or fraud for exposed patients. The settlement terms also include claim submission deadlines and a final approval hearing in February 2026.

Source: https://topclassactions.com/lawsuit-settlements/open-lawsuit-settlements/3-5m-mindpath-health-data-breach-class-action-settlement/

Mindpath Health cybersecurity rating report: https://www.rankiteo.com/company/mindpath-health

"id": "MIN4503945112725",
"linkid": "mindpath-health",
"type": "Breach",
"date": "7/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Thousands of patients',
                        'industry': 'Mental Health Services',
                        'location': 'Headquartered in California, with '
                                    'locations across the U.S.',
                        'name': 'Mindpath Health',
                        'type': 'Healthcare Provider'}],
 'attack_vector': 'Compromised Microsoft Office 365 business email accounts',
 'customer_advisories': 'Class members notified of settlement benefits and '
                        'claim submission deadlines (Jan. 5, 2026)',
 'data_breach': {'data_exfiltration': 'Likely (accessed email accounts)',
                 'number_of_records_exposed': 'Thousands',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (includes PHI)',
                 'type_of_data_compromised': ['Personal information',
                                              'Protected health information '
                                              '(PHI)']},
 'description': 'Mindpath Health, a mental health provider, experienced a data '
                'breach in March and July 2022 where an unauthorized third '
                'party gained access to its Microsoft Office 365 business '
                'email accounts. The breach compromised personal and protected '
                'health information of thousands of patients, leading to a '
                '$3.5 million class action lawsuit settlement. The company did '
                'not admit wrongdoing but agreed to the settlement, which '
                'includes cash payments and credit monitoring services for '
                'affected individuals.',
 'impact': {'brand_reputation_impact': 'Negative (lawsuit and settlement)',
            'customer_complaints': 'Class action lawsuit filed by affected '
                                   'consumers',
            'data_compromised': ['Personal information',
                                 'Protected health information (PHI)'],
            'financial_loss': '$3.5 million (settlement amount)',
            'identity_theft_risk': 'High (personal and PHI exposed)',
            'legal_liabilities': '$3.5 million settlement',
            'systems_affected': ['Microsoft Office 365 business email '
                                 'accounts']},
 'initial_access_broker': {'entry_point': 'Microsoft Office 365 business email '
                                          'accounts',
                           'high_value_targets': ['Patient personal '
                                                  'information',
                                                  'Protected health '
                                                  'information']},
 'investigation_status': 'Resolved via settlement (final approval hearing '
                         'scheduled for Feb. 19, 2026)',
 'post_incident_analysis': {'root_causes': 'Alleged failure to implement '
                                           'reasonable cybersecurity measures '
                                           'to protect email accounts'},
 'references': [{'source': 'Class Action Lawsuit Settlement Notice'},
                {'source': 'Mindpath Health Settlement Website '
                           '(hypothetical)'}],
 'regulatory_compliance': {'fines_imposed': '$3.5 million (settlement, not a '
                                            'fine)',
                           'legal_actions': 'Class action lawsuit filed; '
                                            'settlement approved pending final '
                                            'hearing'},
 'response': {'communication_strategy': 'Notices sent to affected individuals; '
                                        'class action settlement terms '
                                        'communicated'},
 'stakeholder_advisories': 'Notices sent to affected individuals; settlement '
                           'terms published',
 'threat_actor': 'Unauthorized third party',
 'title': 'Mindpath Health Data Breach (2022)',
 'type': 'Data Breach'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.