The Staten Island University Hospital data breach settlement is entering its final stretch, with the claim submission deadline just days away on March 16, 2026. If you received a breach notification letter and haven’t filed yet, you still have time — but not much. Eligible class members can choose between a $35.00 flat cash payment or claim up to $1,000 for documented out-of-pocket losses, along with two years of medical data monitoring backed by a $1 million identity theft insurance policy. The settlement stems from Santiago et al. v.
Staten Island University Hospital, a lawsuit filed after a January 2024 cyberattack compromised the protected health information of roughly 35,106 individuals. The attack targeted The Medibase Group Inc., a healthcare solutions vendor that handled data on behalf of Staten Island University Hospital. Medibase didn’t notify SIUH of the unauthorized access until around May 8, 2024 — months after the breach occurred. For someone who, say, had lab results or insurance details processed through Medibase, that’s a long window of exposure before anyone was told.
Table of Contents
- What Are the Key Dates Left in the Staten Island University Hospital Settlement?
- Who Is Eligible for the Medibase/SIUH Data Breach Settlement?
- What Compensation Is Available to Affected Individuals?
- How to File Your Claim Before the March 16 Deadline
- What Happens at the Final Fairness Hearing on March 31?
- Why the Medibase Vendor Breach Matters Beyond This Settlement
- What Should Affected Individuals Do After Filing?
- Frequently Asked Questions
What Are the Key Dates Left in the Staten Island University Hospital Settlement?
Three dates matter right now, and one has already passed. The opt-out deadline was March 2, 2026 — if you didn’t exclude yourself by then, you’re part of the class whether you filed a claim or not. That door is closed. The claim submission deadline of March 16, 2026 is still open, giving affected individuals eight more days to submit paperwork through the official settlement website at medibasesiuhdatabreachsettlement.com. Missing this deadline almost certainly means forfeiting your right to compensation.
The Final Fairness Hearing is scheduled for March 31, 2026. At that hearing, the court will review any objections and decide whether to grant final approval to the settlement terms. If approved, payments and monitoring benefits will begin rolling out to claimants. If you’ve already filed, there’s nothing more you need to do before the hearing unless you plan to object or appear in court — which most class members don’t. For context, compare this timeline to similar healthcare data breach settlements: many have claim windows of 60 to 90 days. The SIUH settlement followed a comparable schedule, but the gap between the breach itself (January 2024) and the settlement reaching this stage (early 2026) is a reminder of how slowly these cases move through the legal system.
Who Is Eligible for the Medibase/SIUH Data Breach Settlement?
Eligibility is straightforward but narrow. You qualify if your protected health information was compromised in the January 2024 cyberattack on Medibase’s systems and you were among the approximately 35,106 individuals affected. The simplest way to confirm eligibility is whether you received a data breach notification letter. If you got one, you’re in. However, if you were a patient at Staten Island University Hospital but your data wasn’t processed through Medibase, you likely aren’t part of this class.
Not every SIUH patient is covered — only those whose information was in Medibase’s systems at the time of the breach. If you’re unsure, the settlement website has tools to verify your eligibility, or you can contact the settlement administrator directly. Don’t assume that being an SIUH patient automatically makes you a class member. One important wrinkle: even if you are eligible and do nothing, you’re still bound by the settlement terms (since the opt-out deadline has passed). That means you release your legal claims against SIUH and Medibase regardless. Filing a claim is the only way to actually get something in return for giving up those rights.
What Compensation Is Available to Affected Individuals?
The settlement offers three forms of relief, and class members can mix certain options. First, everyone who files a valid claim is entitled to two years of medical data monitoring services. This isn’t the generic credit monitoring you see in most breach settlements — it’s specifically tailored to healthcare data, which matters because medical identity theft can result in fraudulent insurance claims, corrupted health records, and billing nightmares that standard credit monitoring won’t catch. The monitoring comes with a $1 million identity theft insurance policy, which covers costs related to restoring your identity if someone misuses your information. Second, you can claim up to $1,000 for documented, unreimbursed out-of-pocket expenses caused by the breach. This could include costs for credit freezes, time spent dealing with fraudulent charges, fees for obtaining medical records to verify they weren’t altered, or expenses related to identity restoration.
The key word is “documented” — you’ll need receipts, statements, or other proof. A vague claim that you spent hours worrying about the breach won’t cut it. Third, there’s a $35.00 flat cash payment option. This is the no-documentation path for people who were affected but can’t point to specific financial losses. For many class members, especially those who haven’t noticed any misuse of their data, this is the most practical choice. Thirty-five dollars isn’t life-changing, but it’s guaranteed money without the burden of gathering receipts.
How to File Your Claim Before the March 16 Deadline
Filing is done through the official settlement website at medibasesiuhdatabreachsettlement.com. You’ll need the unique ID from your breach notification letter and some basic personal information. The process typically takes 10 to 15 minutes for a flat cash payment claim and longer if you’re documenting out-of-pocket losses, since you’ll need to upload supporting documents. If you’re choosing between the $35 flat payment and the up to $1,000 reimbursement, consider the tradeoff honestly. The $1,000 maximum requires real documentation — bank statements showing fraudulent charges, invoices for identity restoration services, or similar evidence that you spent money because of this specific breach.
If you can’t clearly tie your expenses to the Medibase incident, you risk having the claim reduced or denied. The $35 payment requires no documentation and is much more likely to be paid in full. For most people who haven’t suffered direct financial harm, the flat payment is the smarter move. Whichever option you choose, don’t wait until March 16 itself to file. Settlement websites can experience high traffic near deadlines, and technical issues on the final day won’t extend your window.
What Happens at the Final Fairness Hearing on March 31?
The Final Fairness Hearing is the last procedural step before the settlement becomes binding. The judge will evaluate whether the terms are fair, reasonable, and adequate for the class. This includes reviewing any objections filed by class members, the number of claims submitted, and the overall structure of the deal. In most data breach cases of this size, final approval is granted — outright rejection is rare but not impossible. One limitation to be aware of: even after final approval, payments don’t go out immediately.
There’s typically an appeals period, and the settlement administrator needs time to process and verify claims. Based on similar cases, expect several months between approval and actual payment. If anyone tells you money will arrive within weeks of the hearing, they’re being overly optimistic. If the court doesn’t approve the settlement — an unlikely but possible outcome — the case could go back to negotiations or proceed toward trial. In that scenario, the timeline extends significantly, and there’s no guarantee the eventual outcome would be better for class members. Settlements exist precisely because they offer certainty, even if the amounts feel modest.
Why the Medibase Vendor Breach Matters Beyond This Settlement
This case highlights a growing problem in healthcare: third-party vendor breaches. SIUH didn’t get hacked directly — Medibase did. But it was SIUH patients whose data was exposed.
Under HIPAA, covered entities like hospitals are responsible for ensuring their business associates protect patient data, which is partly why SIUH ended up as a defendant. For patients, the lesson is uncomfortable: your hospital might have solid security, but if their billing vendor, lab partner, or IT subcontractor gets breached, your data is still at risk. The January 2024 Medibase attack affected a relatively contained group of 35,106 people, which is small compared to mega-breaches hitting millions. But smaller breaches can actually be more dangerous for individuals because the stolen data is often more targeted and usable — full medical records rather than just names and emails.
What Should Affected Individuals Do After Filing?
Once your claim is submitted, keep copies of your confirmation number and any documentation you uploaded. Monitor the settlement website for updates after the March 31 hearing. If the settlement receives final approval, the administrator will provide a timeline for when benefits — particularly the medical data monitoring enrollment — will activate.
Looking ahead, anyone affected by this breach should remain vigilant even beyond the two-year monitoring period. Medical identity theft can surface years after a breach when someone uses stolen insurance information for treatment. Periodically reviewing your Explanation of Benefits statements from your health insurer and requesting your medical records to check for unfamiliar entries are habits worth building, regardless of what this settlement provides.
Frequently Asked Questions
Can I still opt out of the Staten Island University Hospital settlement?
No. The opt-out deadline was March 2, 2026, and it has passed. All class members who didn’t exclude themselves are now bound by the settlement terms.
How do I know if I’m eligible for this settlement?
You should have received a data breach notification letter. Eligibility is limited to the approximately 35,106 individuals whose protected health information was compromised in the January 2024 Medibase cyberattack. You can verify your status at medibasesiuhdatabreachsettlement.com.
Can I claim both the $35 flat payment and the $1,000 reimbursement?
The flat cash payment and the out-of-pocket reimbursement are typically alternative options — check the settlement terms on the official website to confirm which benefits can be combined. All claimants are eligible for the two years of medical data monitoring regardless.
When will I receive payment if the settlement is approved?
Payments typically take several months after final approval due to the appeals period and claims processing. The Final Fairness Hearing is March 31, 2026, so payments would likely arrive in late 2026 at the earliest.
What does the medical data monitoring cover?
The monitoring is specifically designed for healthcare data and includes a $1 million identity theft insurance policy. It covers two years of monitoring for misuse of your medical information, which standard credit monitoring services don’t typically address.