In November 2023, Rancho Family Medical Group (RFMG) experienced a data breach via its third-party service provider, KMJ Health Service, exposing the personal and protected health information (PHI) of current and former patients. The breach led to a $315,000 class-action settlement, offering affected individuals up to $10,000 in reimbursement for out-of-pocket losses (e.g., fraud, identity theft, legal fees, credit monitoring) and three years of credit monitoring. Patients could also claim $68 for time spent mitigating breach-related issues (e.g., password changes, monitoring suspicious activity). The settlement fund covers pro rata cash payments (up to $1,000 per person), attorneys’ fees ($105,000), and administrative costs. The breach prompted allegations that RFMG failed to adequately safeguard sensitive data, though the company denied liability. The incident highlights risks associated with third-party vendor vulnerabilities in healthcare data security, with potential long-term consequences for affected individuals, including identity theft, financial fraud, and reputational harm.
Source: https://www.claimdepot.com/settlements/rfmg-data-settlement
TPRM report: https://www.rankiteo.com/company/rancho-health-mso
"id": "ran2711027110525",
"linkid": "rancho-health-mso",
"type": "Breach",
"date": "11/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Current and former patients '
'(exact number unspecified)',
'industry': 'Healthcare',
'location': 'USA',
'name': 'Rancho Family Medical Group (RFMG)',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare IT',
'name': 'KMJ Health Service',
'type': 'Service Provider'}],
'customer_advisories': 'Credit monitoring enrollment offered; claims '
'submission deadline: 2025-12-29',
'data_breach': {'data_exfiltration': 'Likely (based on breach impact)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (health and personal data)',
'type_of_data_compromised': ['Personal Information',
'Protected Health Information '
'(PHI)']},
'date_detected': '2023-11',
'description': 'Current and former patients of Rancho Family Medical Group '
'(RFMG) were notified that their personal and protected health '
'information may have been impacted by a November 2023 data '
'breach involving its service provider, KMJ Health. RFMG '
'agreed to a $315,000 class action settlement to resolve '
'allegations of inadequate data protection. Affected '
'individuals are eligible for up to $10,000 in out-of-pocket '
'loss reimbursement and three years of credit monitoring.',
'impact': {'brand_reputation_impact': 'Class action lawsuit and settlement',
'data_compromised': ['Personal Information',
'Protected Health Information (PHI)'],
'financial_loss': {'attested_time_compensation': 'Up to $68 '
'($17/hour for 4 '
'hours)',
'attorneys_expenses': '$5,000',
'attorneys_fees': '$105,000',
'out_of_pocket_loss_reimbursement': 'Up to '
'$10,000 '
'per person',
'pro_rata_cash_payment_per_person': 'Up to '
'$1,000',
'service_award': '$5,000',
'settlement_amount': '$315,000'},
'identity_theft_risk': 'High (credit monitoring offered for 3 '
'years)',
'legal_liabilities': '$315,000 settlement'},
'investigation_status': 'Settled via class action (final approval hearing on '
'2026-01-28)',
'post_incident_analysis': {'corrective_actions': 'Settlement agreement (no '
'technical remediation '
'details provided)',
'root_causes': 'Alleged failure to adequately '
'protect patient data at '
'third-party service provider (KMJ '
'Health)'},
'references': [{'source': 'Class Action Settlement Notice'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
'$315,000'},
'response': {'communication_strategy': 'Patient notifications, class action '
'settlement communications'},
'stakeholder_advisories': 'Patients notified via official settlement notice '
'with Unique ID and PIN',
'title': 'Rancho Family Medical Group $315K Data Breach Settlement',
'type': 'Data Breach'}