Cornerstone Specialty Hospitals agreed to pay $2.35 million to settle a class action lawsuit stemming from a data breach that exposed the sensitive personal and medical information of approximately 483,000 patients. The breach, which occurred on December 19, 2023, compromised names, Social Security numbers, dates of birth, financial account information, medical records, and health insurance details—exposing victims to potential identity theft and fraud. Notification of the breach was delayed until July 1, 2024, giving hackers more than seven months of potential access to this critical information before patients even knew their data was at risk.
The settlement, approved by the U.S. District Court for the Western District of Kentucky, covers compensation for affected patients, credit monitoring services, and attorneys’ fees. While $2.35 million might seem substantial, when divided among nearly half a million people, the actual recovery per person is limited—highlighting a persistent problem in healthcare data breaches where settlement amounts rarely match the full scope of harm. For those whose Social Security numbers were specifically exposed (approximately 74,959 individuals), the settlement includes two years of free credit monitoring and identity theft protection, though this pales in comparison to the potential lifetime risk of identity fraud.
Table of Contents
- What Triggered the Cornerstone Specialty Hospitals Settlement?
- What Data Was Exposed in the Cornerstone Specialty Hospitals Breach?
- Who Is Eligible for the Cornerstone Settlement Compensation?
- How to File a Claim and What Compensation Is Available?
- Critical Settlement Deadlines You Cannot Miss
- Credit Monitoring and Identity Theft Protection Services
- Healthcare Data Breaches and What This Settlement Means for Industry Accountability
What Triggered the Cornerstone Specialty Hospitals Settlement?
The Cornerstone data breach represents one of the larger healthcare security incidents in recent years, affecting a hospital network that operates specialty care facilities across multiple states. The breach occurred on December 19, 2023, when unauthorized individuals gained access to the company’s systems, but Cornerstone did not notify patients until more than seven months later on July 1, 2024. This extended delay is significant—it meant that for over six months, patients had no idea their most sensitive information was potentially in the hands of criminals, with no opportunity to take protective measures like freezing their credit or monitoring accounts. The lawsuit, *Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a Cornerstone Specialty Hospitals*, was filed in the U.S.
District Court for the Western District of Kentucky (Case No. 3:24-cv-410-DJH) and alleged that Cornerstone failed to implement adequate security measures to protect patient data. Rather than proceed to trial—which could have dragged on for years—Cornerstone agreed to the $2.35 million settlement. This settlement covers not just direct compensation to patients, but also attorneys’ fees, court costs, and service awards for the class representatives who brought the case. For context, a similar-sized breach at a different healthcare provider in 2023 resulted in a $1.5 million settlement, so the Cornerstone amount reflects the scale and severity of exposing nearly half a million people’s data.
What Data Was Exposed in the Cornerstone Specialty Hospitals Breach?
The breach exposed a comprehensive set of personally identifiable information (PII) and protected health information (PHI)—essentially a complete identity theft toolkit. Compromised data included full names, dates of birth, Social Security numbers, federal and state identification numbers, financial account information, credit and debit card details, complete medical histories, and health insurance information. For patients with chronic conditions receiving care at Cornerstone facilities, this means their diagnoses, medications, treatment plans, and insurance coverage details were all accessible to whoever accessed the system.
The exposure of Social Security numbers is the most critical component of this breach, which is why the settlement creates a special “subclass” of approximately 74,959 individuals whose SSNs were specifically compromised. These individuals receive enhanced protections under the settlement, including two years of complimentary three-bureau credit monitoring and identity theft protection services. However, a significant limitation of credit monitoring is that it only detects fraud after it occurs—it cannot prevent criminals from opening accounts, taking out loans, or committing other identity fraud using an exposed SSN. The reality is that identity theft from healthcare breaches can take months or even years to appear, and two years of monitoring leaves a gap in protection for the remaining potential lifetime of risk associated with an exposed SSN.
Who Is Eligible for the Cornerstone Settlement Compensation?
Any individual who had personal information exposed in the Cornerstone data breach is automatically considered a class member and eligible for benefits under the settlement, even without filing a claim. The settlement covers approximately 483,000 people who received healthcare services from Cornerstone Specialty Hospitals and had their data compromised. If your information was in Cornerstone’s systems on or before December 19, 2023, you’re likely part of this class—no action required to receive certain benefits like the class notice and claims process access.
Within the broader class, there’s a smaller subclass of approximately 74,959 individuals whose social Security numbers were specifically exposed. Members of this subclass automatically receive two years of free three-bureau credit monitoring and identity theft protection services at no cost—they don’t need to do anything to activate this benefit. The broader class is also eligible to submit claims for out-of-pocket losses directly caused by the breach, such as fraudulent charges, credit monitoring costs they paid for independently, identity theft recovery expenses, or time spent addressing identity fraud issues. It’s important to note that to receive compensation under this provision, you must have documented evidence of your losses and be able to demonstrate a direct connection to the Cornerstone breach—you can’t simply claim the breach caused you stress or anxiety without supporting documentation.
How to File a Claim and What Compensation Is Available?
To file a claim for compensation in the Cornerstone settlement, you must go to CSHealthcareSettlement.EAGclaims.com, the official claims portal managed by the settlement administrator. The portal allows you to submit your claim electronically, providing details about your documented losses. For those seeking compensation, the settlement offers up to $10,000 per individual for documented, unreimbursed extraordinary losses directly caused by the breach. This might include fraudulent charges on credit cards or bank accounts, costs you paid out-of-pocket for credit monitoring services you purchased after learning of the breach, money spent addressing identity theft (such as costs associated with credit freezes, dispute letters, or hiring identity theft recovery services), and costs for time spent dealing with the fallout—though time spent is typically valued at a reasonable hourly rate and requires documentation. The critical limitation here is that you’re limited to actual, documented losses—you can’t claim a percentage of the settlement pool simply for being affected.
Unlike some settlements where class members receive an automatic payment regardless of their specific damages, the Cornerstone settlement requires you to prove what you lost. If you were vigilant and caught fraudulent activity quickly, your documented losses might be minimal. If you were unaware for months and significant fraud occurred on your accounts, your losses could be substantial. The comparison is important: someone who received fraud alerts from their bank and resolved issues within days might claim $500 in documented costs, while someone whose identity was used to open multiple accounts and take out loans could claim several thousand dollars. The burden of documentation falls on you—gather credit card statements, bank statements, insurance claims, credit reports showing fraudulent accounts, and any other evidence of loss.
Critical Settlement Deadlines You Cannot Miss
The settlement deadlines are firm, and missing them can result in losing your right to compensation entirely. The objection and exclusion deadline was April 8, 2026—if you wanted to object to the settlement terms or exclude yourself from the class, you needed to act by this date. Since we’re currently past this deadline, eligible class members are bound by the settlement and cannot opt out. The claim submission deadline is May 8, 2026, which is the absolute cutoff for submitting a claim for individual compensation. This is the date that matters most if you experienced specific losses from the breach and want to be reimbursed.
The final approval hearing is scheduled for May 14, 2026, at 1:30 PM EST in the Western District of Kentucky. While class members don’t need to attend this hearing, it represents the judge’s final opportunity to approve the settlement and authorize the distribution of funds. A significant warning: missing the May 8, 2026 claim deadline means you forfeit any right to file a claim for documented losses. Unlike some legal deadlines that offer grace periods, settlement claim deadlines are typically absolute. If you were planning to gather documentation of fraud or losses related to the Cornerstone breach, you must complete this process and submit your claim before May 8. The settlement administrator doesn’t provide extensions based on individual circumstances, so if your identity theft case is still being resolved or you’re still collecting documentation, you need to prioritize this immediately.
Credit Monitoring and Identity Theft Protection Services
For the subclass of approximately 74,959 individuals whose Social Security numbers were exposed, the settlement provides two years of complimentary three-bureau credit monitoring and identity theft protection services. These services typically include daily monitoring of credit reports from all three bureaus (Equifax, Experian, and TransUnion), alerts when new accounts are opened in your name, monitoring of the dark web for your personal information, and dedicated identity theft recovery assistance if fraud is detected. The value of this service can be significant—commercial identity theft protection plans typically cost $100-200 per year, so two years of free monitoring represents $200-400 in value. However, understanding the limitations is crucial. The two-year window is fixed and will eventually expire, leaving you without monitoring coverage.
If identity fraud using your exposed SSN occurs after the two-year period ends, you won’t have the settlement’s monitoring service to detect it. This is particularly concerning because identity fraud from healthcare breaches can take months or years to appear—criminals often sit on stolen SSNs, waiting for attention to fade before using them. Additionally, this monitoring service covers detection and alerts, but doesn’t prevent fraud entirely. The service works by catching unauthorized activity after it happens, not by preventing criminals from attempting to open accounts or access credit in your name. You still need to maintain healthy financial habits: regularly check your credit reports beyond the monitoring service, maintain strong passwords, and consider a credit freeze if you want maximum protection.
Healthcare Data Breaches and What This Settlement Means for Industry Accountability
The Cornerstone settlement adds to a growing pattern of healthcare data breaches costing companies millions in settlements. In 2023 and 2024, healthcare organizations have faced multiple multi-million dollar settlements for failing to implement adequate security measures—a clear signal from courts that patient data protection is non-negotiable. The fact that Cornerstone agreed to settle for $2.35 million suggests the company’s legal team likely concluded that the risk of a jury verdict at trial was higher, meaning a jury might have awarded significantly more to the affected patients. From an accountability perspective, this settlement reinforces that healthcare providers will face serious financial consequences for inadequate security.
What’s notable about this settlement is that it demonstrates how healthcare breaches of this scale—involving nearly half a million people—often result in relatively modest per-person compensation. When $2.35 million is divided among 483,000 people, the average settlement value per person is less than $5, even before deducting attorneys’ fees and administrative costs. This reality highlights a systemic issue in data breach settlements: the compensation rarely matches the full scope of potential harm. Identity theft from a compromised SSN can result in tens of thousands of dollars in fraudulent charges, damaged credit for years, and significant emotional and financial stress. The settlement’s $10,000 cap per individual for documented losses is meant to address the most severe cases, but it still leaves a substantial gap between potential harm and available compensation.
You Might Also Like
- T-Mobile $350 Million Customer Data Breach Class Action Settlement
- PharMerica $5.275 Million Patient Data Breach Class Action Settlement
- Panera Bread $2.5 Million Customer Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: