SAG-AFTRA Health Plan agreed to a $950,000 settlement to resolve consolidated class action claims arising from a September 2024 phishing-related email breach that exposed personal and protected health information (PHI).
Incident Overview
Hackers accessed the SAG-AFTRA Health Plan email system between September 17 and September 18, 2026 as a result of employees’ response to phishing emails. The unauthorized access resulted in the exposure of sensitive data, including PHI, which was potentially copied by the attackers.
Compromised data included names and Social Security numbers. The health information, claims data, and plan participant ID numbers of some individuals were also exposed.
Scope of Impact
The breach report submitted to the U.S. Department of Health and Human Services Office for Civil Rights initially indicated that 35,592 individuals were affected. The reported total was later increased to 98,474 individuals.
The lawsuit indicates that the health plan sent approximately 94,546 notification letters to impacted individuals.
Legal Proceedings
The first class action lawsuit related to the breach was filed in December 2024 by Matthew Rouillard and Kristy Munden. Three additional class action lawsuits were later filed by other plaintiffs.
Due to overlapping claims, the lawsuits were combined into a single action and filed as In re SAG Health Data Breach Litigation in the U.S. District Court for the Central District of California.
The consolidated complaint included allegations of negligence and violations of California laws.
Settlement Terms
SAG-AFTRA Health Plan and the plaintiffs reached an agreement to resolve the litigation without proceeding to trial. The settlement establishes a $950,000 fund.
The settlement fund is designated to cover attorneys’ fees and expenses, service awards for class representatives, claims administration costs, and payments to class members. Eligible class members may submit claims for reimbursement of documented and unreimbursed losses related to the breach, with a maximum of $5,000 per individual.
Class members may also receive a pro rata cash payment from the remaining settlement funds after deductions for costs and claims. Individuals who were not California residents at the time of the breach are eligible for one share of the remaining funds, while California residents are eligible for two shares.
All class members are eligible to receive 18 months of credit monitoring and identity theft protection services regardless of whether a financial claim is submitted.
Key Deadlines
Claims must be submitted by July 23, 2026. The deadline for objections and exclusions is June 23, 2026. A final fairness hearing is scheduled for September 24, 2026.