Watson Clinic LLP faced a severe data breach in February 2024, where an unauthorized third party gained access to and, in some cases, published sensitive patient data and medical images on the dark web. The breach exposed personal and protected health information (PHI), including digital images categorized by sensitivity (e.g., full-face with exposed areas, partial clothing, or non-sensitive content). Affected individuals current and former patients received notification letters and became eligible for a $10 million class-action settlement, with payouts ranging from $100 to $75,000 depending on the severity of exposure (e.g., identity theft risks, fraud, or emotional distress from leaked images). The lawsuit alleged negligence, breach of contract, and violations of consumer protection laws, though Watson Clinic denied liability. The incident led to financial compensations for out-of-pocket losses (up to $500), extraordinary damages (up to $6,500), and time spent remedying issues ($125 max). The breach underscored failures in data security protocols, resulting in reputational harm, legal costs (up to $3.3M in attorneys' fees), and long-term trust erosion among patients.
Source: https://www.claimdepot.com/settlements/watson-data-settlement
Watson Clinic LLP cybersecurity rating report: https://www.rankiteo.com/company/watson-clinic
"id": "wat3892838111125",
"linkid": "watson-clinic",
"type": "Breach",
"date": "2/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Current and former patients who '
'received a notice letter (exact '
'number unspecified)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Watson Clinic LLP',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Patients instructed to file claims by Feb. 5, 2026, '
'via online form or mail; options for compensation '
'include out-of-pocket losses, extraordinary losses, '
'attested time, and automatic payments for exposed '
'images.',
'data_breach': {'data_exfiltration': 'Yes (data published on the dark web)',
'file_types_exposed': ['Medical images', 'Patient records'],
'personally_identifiable_information': 'Yes (names, PHI, and '
'other identifiers)',
'sensitivity_of_data': 'High (includes medical images '
'published on the dark web)',
'type_of_data_compromised': ['Personal information',
'Protected health information '
'(PHI)',
'Medical images (including full '
'face and sensitive areas)']},
'date_detected': 'February 2024',
'description': 'Watson Clinic LLP agreed to pay $10 million to resolve a '
'class action lawsuit arising from a data security incident '
'discovered in February 2024. The breach involved unauthorized '
'access and, in some cases, publication of sensitive patient '
'data and medical images on the dark web. Current and former '
'patients who received a notice letter may qualify for '
'compensation up to $75,000, depending on the nature of the '
'exposed data (e.g., digital images with full face and '
'sensitive areas exposed). The settlement includes '
'reimbursements for out-of-pocket losses, extraordinary '
'losses, attested time, and automatic payments for victims '
'whose images were published.',
'impact': {'brand_reputation_impact': 'Significant (lawsuit alleges '
'negligence and breach of contract)',
'customer_complaints': 'Class action lawsuit filed by affected '
'patients',
'data_compromised': ['Personal information',
'Protected health information (PHI)',
'Medical images'],
'financial_loss': '$10,000,000 (settlement fund)',
'identity_theft_risk': 'High (documented cases of identity theft, '
'fraud, and falsified tax returns traceable '
'to the breach)',
'legal_liabilities': "$10,000,000 settlement, attorneys' fees up "
'to $3,300,000'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (medical images '
'published)',
'high_value_targets': ['Patient PHI',
'Medical images']},
'investigation_status': 'Settled (class action lawsuit resolved; no further '
'details on root cause investigation)',
'post_incident_analysis': {'corrective_actions': 'Settlement agreement (no '
'technical remediation '
'details disclosed)'},
'ransomware': {'data_exfiltration': 'Yes (data published on the dark web)'},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'Settlement Administrator (Kroll)'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
'$10,000,000',
'regulations_violated': ['Consumer protection laws '
'(alleged)',
'Potential HIPAA '
'violations (implied but '
'not specified)']},
'response': {'communication_strategy': 'Notice letters sent to affected '
'patients; public settlement '
'announcement with claim instructions',
'third_party_assistance': ['Kroll Settlement Administration '
'(claims processing)']},
'stakeholder_advisories': 'Notice letters sent to affected patients; public '
'settlement terms published',
'threat_actor': 'Unauthorized third party',
'title': 'Watson Clinic $10M Data Breach Class Action Settlement',
'type': ['Data Breach', 'Class Action Lawsuit']}