A judge of the California Superior Court gave preliminary approval to the settlement involving a lawsuit against Community Psychiatry Management, LLC. The mental healthcare provider, doing business as Mindpath Health, decided to settle the class action lawsuit associated with two email data breaches that happened in 2022, affecting 193,947 individuals.
California-based Mindpath Health offers its services in seven U.S. states. It experienced two data breaches, one in March 2022 and another in June 2022. Unauthorized persons acquired access to its Microsoft Office 365 business accounts that stored the protected health information (PHI) of Mindpath Health patients. Mindpath Health discovered the breach in June while conducting a routine audit of its email environment. It noticed suspicious activity within its accounts.
Based on the investigation results, the unauthorized access involved two email accounts in March and June 2022. The exposed data included names, addresses, birth dates, medical diagnoses, prescription medications, treatment data, medical insurance details, and Social Security numbers. On January 10, 2023, Mindpath Health sent notification letters to the affected individuals, which were about seven months after discovering the breach.
Plaintiff Corina Lowrey filed a class action lawsuit in the Eastern District of California on January 30, 2023. Then, two more complaints had been filed by other Mindpath Health patients. Lowrey, et. al., v. Community Psychiatry Management, LLC is the consolidated complaint of the lawsuits filed in the Superior Court of California, County of Los Angeles.
The plaintiffs stated that the data breach was due to the defendant’s cybersecurity failures. The lawsuit asserted claims of negligence, unjust enrichment/quasi-contract, breach of implied contract, breach of confidence, breach of fiduciary duty, and violations of the California Confidentiality of Medical Information Act, California Constitutional Right to Privacy, California Unfair Competition Law, California Consumer Records Act, California Consumer Legal Remedies Act, and California Consumer Privacy Act.
Mindpath Health responds that it did no wrong and does not agree with all claims and allegations in the lawsuit. Nevertheless, after two days of mediation discussions, all parties agreed to a settlement to avoid more legal costs from what would probably be prolonged litigation and the unpredictability of trial and corresponding appeals.
The terms of the settlement required Mindpath Health to create a $3.5 million settlement fund, which will cover the $1,166,666.67 attorneys’ fees and up to $35,000 expenses, up to $202,900 settlement management costs, and $5,000 service awards for the three plaintiffs. What is left of the settlement will be the payment for the class members’ benefits.
Class members may file a claim for repayment of documented, unreimbursed ordinary expenses associated with the data breach, approximately $1,500 for each class member, and approximately $10,000 as repayment for documented, unreimbursed extraordinary expenses, which include losses resulting from identity theft and fraud. All class members who file a valid claim can avail free credit monitoring services for three years.
Alternatively, class members can opt for a pro rata cash payment, estimated to be around $50. Depending on the number of claims filed, the amount of cash payments may be higher or lower. California residents at the time when the breach occurred are entitled to receive an extra $50 cash payment adjusted pro rata according to the number of valid claims filed.
The schedule of the final approval hearing is February 19, 2026. Class members may object to or exclude themselves from the settlement until January 5, 2026. Claims for benefits may also be submitted until January 5, 2026.