If you are one of the 35,106 patients affected by the Staten Island University Hospital data breach, you have three settlement options available right now: a $35 flat cash payment, up to $1,000 in reimbursement for documented expenses, or two years of medical data monitoring with a $1 million identity theft insurance policy. The claim submission deadline is March 16, 2026, so time is limited to file. Eligibility is straightforward — if you received a notice from the Settlement Administrator, you are a Settlement Class Member and can submit a claim through the official site at medibasesiuhdatabreachsettlement.com. This settlement stems from a cyberattack on The Medibase Group Inc., a healthcare solutions vendor that provided services to Staten Island University Hospital.
The breach exposed sensitive patient data including Social Security numbers, dates of birth, medical records, and health insurance information. The case, Belle De Santiago and Elena Girenko v. Staten Island University Hospital (Case No. 25CVE0998), was filed in the Superior Court of Cherokee County, Georgia.
Table of Contents
- Who Is Eligible for the Staten Island University Hospital Data Breach Settlement?
- What Are the Three Settlement Payment Options and Their Limitations?
- Critical Deadlines You Cannot Afford to Miss
- When Will Settlement Payments Actually Arrive?
- Common Issues That Could Delay or Disqualify Your Claim
- Why This Breach Happened and What It Means for Vendor-Related Data Exposure
- What Happens After the Settlement Is Finalized
- Frequently Asked Questions
Who Is Eligible for the Staten Island University Hospital Data Breach Settlement?
Eligibility for this settlement is determined by whether your personal data was held by Medibase at the time of the January 26, 2024 cyberattack. SIUH’s records were used to identify the 35,106 patients whose information was compromised during the breach. If you received a written notice from the Settlement Administrator, that notice is your confirmation that you qualify as a Settlement Class Member. You do not need to prove that your data was actually misused — the fact that it was exposed is sufficient. One common point of confusion is that you may not have interacted directly with Medibase or even heard of the company.
Medibase operated behind the scenes as a healthcare solutions vendor for SIUH, handling data on the hospital’s behalf. So if you were a patient at Staten Island University Hospital and your records were part of the Medibase system, you could be a class member even if your only relationship was with the hospital itself. For example, someone who visited SIUH for outpatient care in 2023 and had their insurance information processed through Medibase would qualify, regardless of whether they experienced any identity theft afterward. If you did not receive a notice but believe your data was compromised, the official settlement website at medibasesiuhdatabreachsettlement.com has additional information on how to verify your status. However, the settlement class is defined by SIUH’s records of whose data Medibase held, so individuals who were not in that system at the time of the breach would not be eligible regardless of their patient history with the hospital.
What Are the Three Settlement Payment Options and Their Limitations?
The settlement offers three distinct claim options, and understanding the differences matters because you need to choose the one that best fits your situation. Option 1 provides two years of medical data monitoring services bundled with a $1 million identity theft insurance policy. This is the strongest long-term protection if you are worried about your medical information being misused — something that can happen months or years after a breach when stolen health records surface on dark web marketplaces. Option 2 covers documented, unreimbursed out-of-pocket expenses caused by the breach, up to $1,000 per class member. Option 3 is the simplest: a flat $35 cash payment with no documentation required. However, if you are considering Option 2, you need to understand that “documented” and “unreimbursed” are the operative words.
You must have receipts, statements, or other proof that you spent money dealing with the breach’s fallout — things like credit monitoring services you purchased on your own, costs related to freezing or unfreezing credit, or fees for obtaining new identification documents. If your bank already reimbursed you for a fraudulent charge, that expense would not count. And the $1,000 cap is firm, so even if your documented losses exceed that amount, the settlement will not pay beyond it. The $35 flat payment under Option 3 may seem modest, but for class members who have not experienced any direct financial harm from the breach, it represents guaranteed money without the hassle of gathering documentation. The tradeoff is clear: less money for less effort. If you spent even a few hours dealing with fraud alerts or credit freezes, Option 2 could yield significantly more, but only if you kept the paperwork.
Critical Deadlines You Cannot Afford to Miss
Three dates govern the timeline of this settlement, and missing any of them can permanently affect your rights. The exclusion (opt-out) deadline was March 2, 2026. If you wanted to preserve your right to sue SIUH or Medibase independently, you needed to submit an opt-out request by that date. Anyone who did not opt out is bound by the settlement’s terms once it receives final approval. The claim submission deadline is March 16, 2026. This is the date by which your completed claim form must be submitted through medibasesiuhdatabreachsettlement.com. Filing even one day late could mean your claim is rejected entirely, regardless of how strong your case might be.
For context, someone who received their notice in February and set it aside intending to deal with it later could easily miss this window. If you have not filed yet, do it now rather than waiting. The final fairness hearing is scheduled for March 31, 2026. At this hearing, the court will decide whether to grant final approval to the settlement. Class members have the right to attend and raise objections, though this is uncommon in data breach settlements of this size. If the court approves the settlement, the claims administration process moves forward and payments begin processing. If objections lead to delays or modifications, the timeline shifts accordingly.
When Will Settlement Payments Actually Arrive?
Payment timing is one of the most frequently asked questions in any class action settlement, and the honest answer is that it depends on what happens at the March 31, 2026 fairness hearing. If the court grants final approval without any appeals or objections, the settlement administrator typically begins processing payments within 60 to 90 days after the approval becomes final. For a settlement of this size involving 35,106 class members, the administrative processing alone takes time — verifying claims, validating documentation for Option 2 filers, and cutting checks or issuing electronic payments. The comparison between payment options matters here too.
Option 3 claimants — those who selected the $35 flat payment — will likely receive their money fastest because there is no documentation to review. Option 2 claimants may face a longer wait because the settlement administrator must verify each expense claim individually. Option 1 claimants will not receive a cash payment at all but should expect enrollment information for the medical data monitoring service to arrive after final approval. If there are appeals to the settlement, all payments could be delayed by months or even longer, though appeals in data breach cases of this scale are relatively uncommon.
Common Issues That Could Delay or Disqualify Your Claim
Several pitfalls can derail an otherwise valid claim. The most common is submitting incomplete documentation for Option 2 expense reimbursement. If you claim you spent $400 on credit monitoring but cannot produce a receipt or bank statement showing the charge, the settlement administrator may reduce or deny that portion of your claim. Another frequent issue is providing outdated contact information — if you have moved since receiving your notice, the settlement administrator may not be able to reach you for follow-up or deliver your payment. Be warned that scammers frequently target settlement class members with phishing emails, fake claim forms, or phone calls pretending to be from the settlement administrator.
The legitimate settlement process will never ask for your credit card number, bank login credentials, or an upfront payment to process your claim. All official communications come through medibasesiuhdatabreachsettlement.com. If you receive a suspicious communication about this settlement, do not click links or provide personal information — verify directly through the official website. A less obvious risk involves duplicate claims. If you file more than one claim form, both submissions could be flagged for review, which delays processing. Submit one complete, accurate claim and keep a copy of your confirmation for your records.
Why This Breach Happened and What It Means for Vendor-Related Data Exposure
The Staten Island University Hospital breach is a textbook example of third-party vendor risk. The cyberattack did not target SIUH’s own systems directly — it hit The Medibase Group Inc., a healthcare solutions company that handled patient data on SIUH’s behalf. On or around January 26, 2024, unauthorized actors gained access to Medibase’s systems.
SIUH was not notified until approximately May 8, 2024, more than three months later. That gap between breach and notification meant affected patients had no opportunity to protect themselves during the period when their data was most actively at risk. This pattern of vendor breaches has become increasingly common in healthcare, where hospitals and clinics routinely share patient data with billing companies, IT service providers, and administrative vendors. For the 35,106 patients affected here, the breach exposed names, Social Security numbers, dates of birth, medical information, and health insurance information — essentially everything needed for both financial identity theft and medical identity fraud.
What Happens After the Settlement Is Finalized
Once the court grants final approval at the March 31, 2026 hearing, the settlement enters its administration phase. Approved claims get processed, payments get distributed, and the monitoring services for Option 1 claimants get activated. The settlement also typically includes injunctive relief or operational changes, though the primary focus for most class members is the compensation they selected.
Looking ahead, this case reinforces the growing legal accountability that hospitals face for the data security practices of their vendors. If you are a class member, the most important thing you can do right now is file your claim before the March 16, 2026 deadline and monitor your credit reports regardless of which option you select. A settlement payment helps, but proactive monitoring is your best defense against the long tail of data breach consequences.
Frequently Asked Questions
How do I know if I am part of the Staten Island University Hospital settlement class?
You should have received a notice from the Settlement Administrator identifying you as a class member. Eligibility is based on SIUH’s records of individuals whose data was held by Medibase at the time of the January 26, 2024 breach. If you are unsure, check the official site at medibasesiuhdatabreachsettlement.com.
Can I file for more than one settlement option?
The settlement offers three options, and you should review the claim form carefully to understand whether the options are mutually exclusive. Generally in data breach settlements, you select the option that best fits your circumstances rather than claiming multiple benefits simultaneously.
What qualifies as a reimbursable out-of-pocket expense under Option 2?
Documented expenses that resulted directly from the data breach, such as credit monitoring services you paid for, costs of credit freezes or unfreezes, fees for replacement identification documents, and similar out-of-pocket costs. The key requirements are that the expenses must be documented with receipts or statements, unreimbursed by any other source, and directly tied to the breach. The maximum reimbursement is $1,000.
When will I receive my settlement payment?
Payments are distributed after the court grants final approval at the fairness hearing scheduled for March 31, 2026. If approval is granted without appeals, expect payments within approximately 60 to 90 days after the approval becomes final. Appeals or objections could extend this timeline.
What if I missed the March 2, 2026 opt-out deadline?
If you did not submit an opt-out request by March 2, 2026, you are bound by the settlement terms and cannot pursue an independent lawsuit against SIUH or Medibase related to this breach. You can still file a claim for settlement benefits before the March 16, 2026 deadline.
Is the $35 flat payment worth taking, or should I file for expense reimbursement instead?
If you have documented, unreimbursed expenses from dealing with the breach, Option 2 could pay significantly more — up to $1,000. But if you have no documentation or did not incur direct costs, the $35 flat payment under Option 3 is guaranteed money. There is no advantage to filing for expense reimbursement if you cannot substantiate the claimed amounts.
You Might Also Like
- Staten Island University Hospital Settlement Update: Key Dates, Eligibility, And Next Steps
- Staten Island University Hospital Settlement Payouts: What Impacts Your Final Payment Amount
- Shimano Settlement FAQs: Eligibility, Deadlines, And Payment Timing