Yes, patient information at City of Hope National Medical Center was compromised in a significant data breach that exposed the personal and health information of over 827,000 people. Between September 19 and October 12, 2023, unauthorized individuals gained access to patient records containing names, addresses, Social Security numbers, phone numbers, and health-related information. The breach was discovered on October 13, 2023, when City of Hope’s security team identified suspicious account activity. The center, a world-renowned cancer treatment and clinical research facility in Duarte, California, has since reached an $8.5 million settlement with affected patients to compensate them for the exposure and potential harm caused by the incident.
This settlement represents one of the significant healthcare data breaches of recent years and offers concrete compensation pathways for affected individuals. Class members can recover up to $5,000 for documented losses directly traceable to the breach—including compensation for time spent addressing the incident at $25 per hour for up to four hours. Additionally, California residents affected during the relevant period receive a $250 cash payment regardless of whether they can document specific losses. The settlement distribution is currently being administered, with key deadlines approaching that affect eligibility and claim amounts.
Table of Contents
- What Information Was Exposed in the City of Hope Breach?
- Why This Breach Matters for Healthcare Consumers
- How Much Can Class Members Receive From the Settlement?
- What Are the Critical Deadlines for Filing a Claim?
- What Losses Qualify and Which Don’t?
- What Should You Monitor Following This Breach?
- What Does This Breach Mean for Healthcare Data Security Moving Forward?
- Conclusion
What Information Was Exposed in the City of Hope Breach?
The compromised data included sensitive personal identifiers and health information crucial to identity theft and medical fraud. Specifically, the breach exposed names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, financial account information, and health insurance details. For many patients, this meant their complete medical records—including diagnoses, treatment plans, medications, and insurance coverage—were accessible to the unauthorized actors.
In one notable case similar to this type of exposure, a patient discovered fraudulent medical bills appearing months after being notified of the breach, demonstrating how criminals use stolen health information to submit false insurance claims. The scope of 827,000 affected individuals made this one of the largest healthcare data breaches, comparable in scale to other major hospital system breaches like the 2017 Anthem incident that affected nearly 79 million people. The time between the actual breach (September 19 – October 12) and its discovery (October 13) represented a critical vulnerability window—nearly two weeks during which sensitive data may have been extracted and sold on the dark web. City of Hope customers should understand that while the organization discovered the breach relatively quickly, the data was exposed for approximately 24 days before detection, increasing the window for misuse.
Why This Breach Matters for Healthcare Consumers
Healthcare data is significantly more valuable than other types of personal information on the dark web. A stolen Social Security number might sell for $1 to $5 in underground markets, but stolen health records with insurance information can fetch $50 to $250 each. This price differential reflects the extensive fraud opportunities that stolen medical information enables. Fraudsters can create fake insurance claims, file for prescriptions under a patient’s name, obtain expensive medical treatments they never receive, or sell the information to competitors and other malicious actors.
This makes healthcare breaches particularly dangerous compared to retail or financial sector breaches. The limitation many patients face is that healthcare breach notification laws require only notification—not mandatory credit monitoring or identity theft protection. City of Hope did offer two years of complimentary credit monitoring and identity theft protection services to affected individuals, which is more generous than some organizations but still represents a relatively short-term safeguard. Many security experts recommend that patients maintain heightened vigilance for years after a breach, as criminals often hold onto data in dark web marketplaces and may use it during future fraud attempts. Additionally, identity theft can manifest months or even years after a breach, making it difficult to connect fraudulent activity directly to the incident for settlement claim purposes.
How Much Can Class Members Receive From the Settlement?
The $8.5 million settlement pool is substantial, but compensation structure matters significantly for what individual claimants will actually receive. Class members can claim up to $5,000 in documented losses directly caused by the breach. This includes identity theft expenses, fraudulent charges, time spent resolving issues (at $25 per hour, up to four hours = $100 maximum for time damages), credit monitoring costs that weren’t covered by the settlement, and other out-of-pocket expenses directly traceable to the breach. California residents who were affected between September 19, 2023 and January 13, 2026 receive an additional $250 cash payment, which requires no documentation of losses—this represents a meaningful recognition that the breach itself caused harm beyond quantifiable losses.
Consider a real-world example: a patient discovers fraudulent medical charges and identity theft appearing on their credit report four months after the breach notification. If they spent $80 on credit monitoring not covered by City of Hope’s offer, $150 on credit repair services, $200 on travel to the hospital to file disputes, and 3 hours at $25/hour ($75) addressing the fraud, they could claim $505 in documented losses. Combined with the California resident payment of $250, this hypothetical patient could recover $755. However, claims exceeding $1,000 become increasingly difficult to verify and may face scrutiny from claims administrators, requiring detailed receipts and documentation of causation.
What Are the Critical Deadlines for Filing a Claim?
Three key dates control your eligibility and compensation in this settlement. First, the exclusion deadline of December 15, 2025 (postmarked) allows class members to opt out of the settlement if they prefer to pursue individual litigation. Second, and most critically for receiving compensation, the claims submission deadline is January 13, 2026 (online or postmarked). Any claims received after this date will be rejected, regardless of how complete the documentation is. Third, the final approval hearing occurs on February 20, 2026 at 9:30 A.M.
PT, when the court will finalize the distribution plan and any objections to the settlement will be addressed. The January 13, 2026 deadline creates a tradeoff between time for documentation and certainty of filing. Filing early (immediately upon eligibility) ensures your claim is in the system and reduces the risk of missing the deadline. However, some losses may not fully materialize until later—you might not discover identity theft until November or December 2025, leaving minimal time to document expenses and file before the deadline. To balance this, file as soon as you have some documented losses rather than waiting to accumulate a larger claim amount. Late-filed claims receive no consideration, whereas an early-filed claim for $300 will be processed and paid, whereas a $5,000 claim filed on January 14 will be rejected entirely.
What Losses Qualify and Which Don’t?
The settlement specifically requires losses to be “directly traceable to the breach,” which creates an important limitation on compensation eligibility. Qualifying losses include documented identity theft, fraudulent charges that appeared after the breach period, unreimbursed credit monitoring services, credit repair expenses, time spent addressing the breach (capped at 4 hours at $25/hour), and costs directly caused by the stolen personal information. Non-qualifying losses include general anxiety about the breach, theoretical risk of future identity theft without current evidence, medical expenses unrelated to fraud from the breach, or lost wages from time spent dealing with the breach (though the $25/hour time compensation offers limited recovery for this). A critical warning: you must retain documentation proving both the loss occurred and that it resulted from the breach.
A patient who notices fraudulent medical charges must provide the fraudulent bills, bank statements showing the charges, email correspondence with their insurance company disputing the charges, and evidence connecting these charges to services they did not receive. Simply stating “I spent time worrying about the breach” or “I had to change my passwords” will not qualify for compensation. Similarly, if you already had credit monitoring through your employer or credit card company before the breach, you cannot claim those fees as a loss. The bar for documentation is intentionally high to protect the settlement fund from inflated or fabricated claims, but this also means careful record-keeping during and after dispute resolution is essential for successful claims.
What Should You Monitor Following This Breach?
Patients affected by the City of Hope breach should implement both immediate and long-term monitoring strategies. City of Hope provided complimentary enrollment in Experian’s identity theft protection and credit monitoring for two years from the breach notification date. During this period, take full advantage of these services by reviewing monthly credit reports and setting up fraud alerts. Place a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion) and consider a credit freeze if you’re not actively using credit—this requires fraudsters to unfreeze your credit before opening new accounts in your name.
Beyond the two-year monitoring window, remain vigilant for five to seven years, as stolen healthcare data often circulates in dark web marketplaces and may be exploited years after the initial breach. For example, a patient affected by the 2015 Anthem breach—which exposed 78.8 million records—continued discovering fraudulent medical claims appearing in 2018 and 2019, nearly three to four years after the breach. Check your credit reports annually (you can access free reports at annualcreditreport.com), monitor Explanation of Benefits statements from your insurance company for services you didn’t receive, and consider purchasing identity theft protection after City of Hope’s complimentary period expires. This proactive approach helps you catch fraud quickly, which improves your documentation for potential settlement claims.
What Does This Breach Mean for Healthcare Data Security Moving Forward?
The City of Hope breach illustrates persistent vulnerabilities in healthcare cybersecurity, even at major medical centers with significant security resources. Despite City of Hope’s established reputation and resources, attackers succeeded in maintaining unauthorized access for nearly two weeks. This suggests that healthcare organizations face growing pressure from sophisticated threat actors, and patient data breaches are likely to continue. The settlement represents both accountability for the organization and a financial acknowledgment that breach notification alone—without compensation for actual harms—is insufficient protection for patients.
Healthcare consumers should recognize that while this settlement provides compensation mechanisms, the prevention responsibility ultimately falls partly on healthcare organizations and regulatory bodies. The Health and Human Services Office for Civil Rights (OCR) investigates healthcare data breaches and has the authority to impose penalties and corrective action plans, but these rarely reach the magnitude of patient compensation. Looking forward, expect more healthcare organizations to face similar class action litigation and settlements. This trend may eventually drive larger investments in healthcare cybersecurity, encryption standards, and data minimization practices. Until then, individuals must take personal responsibility for monitoring accounts, maintaining strong security practices, and understanding settlement eligibility if they’re affected by future breaches.
Conclusion
The City of Hope data breach exposed 827,000+ patients’ sensitive personal and health information between September 19 and October 12, 2023, resulting in an $8.5 million settlement. Class members can recover up to $5,000 for documented losses directly caused by the breach, plus an additional $250 cash payment for California residents, provided they submit claims by January 13, 2026. Understanding what qualifies as a loss, maintaining detailed documentation of expenses, and meeting filing deadlines are critical for successful claim recovery.
If you were a City of Hope patient during the breach period, review your medical bills, credit reports, and account statements for any fraudulent activity. File a claim on the settlement website if you have documented losses, and take advantage of the complimentary credit monitoring services provided. Even if you haven’t discovered specific fraud yet, California residents should file for the $250 base payment, which requires no documentation. For long-term protection, remain vigilant about your healthcare statements and credit reports for years to come, as identity theft from healthcare breaches can emerge well after the initial incident.
You Might Also Like
- Krispy Kreme Data Breach Settlement Claims Consumer Information Was Compromised
- Essen Medical Associates Data Breach Settlement Claims Patient Information Was Exposed
- Complete Payroll Solutions Data Breach Settlement Claims Employee Information Was Exposed
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: